By Untrained Momentum | May 2026

You didn't get hacked. Nobody broke into your network. Nobody targeted your business. You could be a florist in Big Rapids, a salon owner in Stanwood, a pet groomer who's been at it for twelve years with no issues. Why would anyone bother?

Here is the problem, data is valuable.

Three things happened in the last few weeks that should make every small business owner stop and think about where their customer data actually lives — and what happens to it when the platform they trusted has a bad day.

The Teacher Who Lost Everything Mid-Exam

On May 7, 2026, millions of students and teachers logged into Canvas — the learning management system used by roughly 41% of colleges and universities in North America — and found a ransom note instead of their coursework.

A hacking group called ShinyHunters had broken in. Not through some sophisticated zero-day exploit. Not by targeting a specific school. They got in through a Free-for-Teacher account — a lower-security tier that Canvas offered for free, with fewer protections than paid institutional accounts. That one overlooked account type became the door into a platform serving 30 million users.

Private messages between students and professors. Names. Email addresses. Student ID numbers. All of it sitting in a platform nobody thought twice about — because it always worked.

Teachers mid-lecture lost access. Students mid-exam lost access. Finals were postponed. Exams scrapped. Universities told students to check their regular email — not Canvas — for updates, because Canvas was gone. Many posts online surfaced of teachers frustrations because they had no way to contact their students on those emails, or back ups of their curriculum.

Here's the thing that should hit home for a small business owner: those teachers didn't do anything wrong. They used the tool their institution provided. They had no visibility into how it was secured, what accounts had access, or whether anyone was watching for unauthorized activity. They just showed up to work and trusted it. They didn't know any better.

Sound familiar?

The Car Rental Shop That Lost Every Reservation in 9 Seconds

Three weeks before Canvas went down, on April 25, 2026, small car rental businesses across the country showed up on Saturday morning to find their reservation systems completely empty.

Not slow. Not partially down. Gone.

PocketOS — the software platform those businesses depended on to manage every booking, every payment, every vehicle assignment — had its entire production database deleted. Not by hackers. By an AI coding tool that was running a routine fix and made a catastrophic mistake. The whole database wiped in 9 seconds. And then the backups were deleted too — because they were stored in the same place as the data they were supposed to protect.

The founder of PocketOS spent the weekend manually rebuilding customer records by cross-referencing Stripe payment histories against calendar invites and email confirmations. Meanwhile, every one of their customers were running their own emergency workflow. Customers standing at rental counters. No record of who booked what. No record of who already paid.

Those car rental shop owners didn't get hacked. They used software and did exactly what most small businesses do — they trusted a platform with their most critical data and had no independent copy of any of it.

If PocketOS had gone under that weekend and never recovered the data — and they nearly didn't — those businesses would have lost every customer record they ever had.

The Ice Cream Shop That Lost $8,000 in One Afternoon

In September 2023, Adam Blackbill noticed around 2 p.m. that he wasn't getting sales reports from his three ice cream shops. He runs Urban Churn, a small business in central Pennsylvania that has processed every payment through Square since 2014.

Square was down. Not hacked — just down. A systems outage that lasted over 14 hours.

His employees couldn't input orders. He couldn't send invoices to wholesale customers. He couldn't withdraw money. Employees couldn't even clock in and out of their shifts.

By the time Square came back up, Blackbill estimates Urban Churn lost between $8,000 and $10,000 in revenue. In Miami, Harry Coleman watched customers walk out of his smokehouse during dinner service because they didn't carry cash. He lost around $2,000 in one evening. In California, Vincent Shay spent hours assuming his own Wi-Fi was broken before he figured out it was Square — and then closed his shop early because there was nothing else he could do.

Square's response? An apology posted on X. No compensation. No SLA. No obligation to make anyone whole.

And here's the part buried in the fine print that most small business owners never read: when a payment processor goes down and you lose sales, that is your problem, not theirs.

The Pattern Nobody Is Talking About

Three different incidents. Three different causes. One thing in common:

Small business owners had their most critical data and operations sitting inside platforms they didn't control, with no backup, no monitoring, and no plan for when something went wrong.

• The teachers had no local copy of their course materials or student records

• The car rental shops had no independent backup of their customer reservations

• The ice cream shops had no fallback for taking payments when their processor failed

This is not about getting hacked. This is about single points of failure — and most small businesses are built entirely on them.

Think about your own business for a moment:

• Where does your customer list live?

• If your booking software went down today, do you have a copy of your appointments?

• If your payment processor had a 14-hour outage, could you still take money?

• If the software company you depend on had a bad weekend and lost your data, would you have any of it?

For most small businesses — salons, gyms, auto shops, pet groomers, chiropractors, boutiques — the honest answer to most of those questions is no.

What You Can Actually Do Right Now

You don't need a full IT department. You need a plan. Here are the basics:

1. Know whether your payment processor has an offline mode. Square has one. Most businesses don't know it exists. Offline mode lets you take card payments when your internet or Square's servers are down — it processes them automatically when the connection is restored. Find it, test it, make sure your staff knows how to use it. Keep a small cash float in your register as a last resort. And for anyone who pays with a card while you're offline, get their contact info manually so you can follow up if the transaction fails.

2. Export your customer data regularly — and store it somewhere you own. If you use booking software, a CRM, or any platform that holds customer contact information, most of them have an export function. Use it. Put a reminder in your calendar for the first of every month. Export your customer list to a spreadsheet and save it somewhere that isn't inside that platform — a Google Drive you control, a local hard drive, anywhere that isn't the same place as the original. If PocketOS had done this, those car rental shops would have had a 30-day-old list to work from instead of nothing. With todays automation, it takes nothing to back it up nightly.

3. Understand what your backups actually protect. PocketOS had backups. They were stored in the same place as the data. When the data was deleted, the backups went with it. Ask yourself: if the platform you use had a catastrophic failure right now, where are your backups, and are they actually separate from the original? If you don't know the answer, you don't have a backup — you have a false sense of security.

4. Stop treating free tiers as safe tiers. The Canvas breach started with a free account type that had weaker security than paid accounts. Free software is everywhere in small business — free versions of scheduling tools, free CRMs, free email marketing platforms. Free tiers often have fewer security controls, less monitoring, and less accountability. That doesn't mean never use them. It means know what you're trusting and what you're not.

Better Yet, Partner with Untrained Momentum

None of these businesses needed a Fortune 500 IT department. What they needed was someone paying attention.

Someone familiar with technology best practices. Someone making sure backups are stored separately from the data they protect. Someone who knows your payment processor's offline mode exists and has it set up before you need it on a Saturday afternoon in the middle of your busiest season.

That's what managed IT actually looks like for a small business. Not a server room. Not a full-time hire. Just someone keeping an eye on the things you don't have time to watch — and making sure that when a platform has a bad day, it's an inconvenience and not a crisis.

If you want to talk through what that looks like for your business, reach out. We'll start with what you actually need, not what's most profitable to sell you.

Untrained Momentum, LLC provides managed IT services, business process consulting, and technology guidance for small businesses in Big Rapids, MI and beyond.