- Proton recorded 794 major breaches in 2025, exposing more than 306 million records
- 71% of violations Small and medium-sized businesses affected
- Proton urges startup founders to ‘build privately’
If you are the founder of a startup, you may assume that your company is too small, too new, or too obscure to attract the attention of cybercriminals. You would also be wrong.
According to a new report from Swiss privacy giant Proton, the provider behind one of the best secure email and VPN services, early-stage companies are becoming a prime target for hackers.
Data obtained from the Proton Data Breach Observatory reveals that 794 major breaches occurred in 2025 alone, exposing a staggering 306.1 million records. While large corporations often dominate the headlines, Proton found that 71% of breaches actually affected small and medium-sized businesses.
The “too small to hack” myth is dead
Cybercriminals seek the path of least resistance, and increasingly, that path leads to small businesses that own valuable intellectual property (IP) but lack the dedicated security teams of a Global 500 company.
The report identifies a dangerous mindset among European businesspeople: prioritizing speed over safety.
“In startup circles, ‘speed wins,’ and security can be seen as an obstacle to that speed. This can result in crucial steps being missed when securing a deal,” said Patricia Egger, head of security at Proton.
The report highlights that access is often the first objective. Nearly half (49%) of breaches tracked involved compromised passwords. For a small team that uses shared logins through Slack or stores credentials in browsers, a single mistake can hand the keys to the entire kingdom to a threat actor.
Proton’s report cites sobering examples from 2025, including PhoneMondo, a five-person team in Germany that saw more than 10.5 million records exposed, and Tracelo, a US-based tracking app that leaked 1.4 million records. In both cases, the size of the company did not protect the enormous amount of customer data it possessed.
As most SMEs are not prepared to survive a major cyberattack, the consequences, ranging from GDPR fines to a complete loss of consumer trust, can be fatal for a young company.
How to “build privately”
To combat this, Proton is urging startups to “build private.” This initiative pushes founders to build privacy into their operations from day one, rather than implementing it after a breach occurs.
Raphael Auphan, Proton’s chief operating officer, notes that while consumers understand privacy, it can be harder to convey to startup founders when widely adopted big tech tools prioritize speed.
“I can’t stress enough to business founders and owners the importance of pausing to make the conscious decision to ‘build private,’” adds Auphan.
If you run a small business, Proton’s report suggests three critical controls to prevent you from becoming a statistic in 2026:
- Remove reusable credentials: Stay away from shared passwords. Use passcodes or a dedicated password manager to generate unique, secure logins. Apply multi-factor authentication (MFA) everywhere.
- Control your access: Don’t allow all employees to access all files. Centralize your access routes using enterprise VPNs to create a single private gateway. This ensures that even if one device is compromised, the attacker cannot move laterally throughout the network.
- Encrypt everything: Encryption doesn’t stop attacks, but it does render stolen data useless. Make sure your email, cloud storage, and calendar tools use end-to-end encryption so only you have the keys.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
