- Proton recorded 794 major breaches in 2025, exposing 306+ million records
- 71% of violations affected small and medium-sized enterprises
- Proton encourages startup founders to ‘build private’
If you’re a startup founder, you may assume that your business is too small, too new, or too obscure to attract the attention of cybercriminals. You would be wrong too.
According to a new report from Swiss privacy giant Proton – the provider behind one of the best VPN and secure email services – early-stage companies are becoming a prime target for hackers.
Data sourced from Proton’s Data Breach Observatory reveals that 794 significant breaches occurred in 2025 alone, exposing a staggering 306.1 million records. While massive companies often dominate the headlines, Proton found that 71% of breaches actually affected small and medium-sized businesses.
The myth of “too small to hack” is dead
Cybercriminals look for the path of least resistance, and increasingly that path leads to small businesses that have valuable intellectual property (IP) but lack the dedicated security teams of a Global 500 company.
The report identifies a dangerous mindset among European entrepreneurs: the prioritization of speed over security.
“In startup circles, ‘speed’ wins, and security can be seen as an obstacle to that speed. This can result in missing critical steps when securing a business,” says Patricia Egger, head of security at Proton.
The report highlights that access is often the first goal. Almost half (49%) of the breaches tracked involved compromised passwords. For a small team using shared logins over Slack or storing credentials in browsers, a single slip-up can give the keys to the entire kingdom to a threat actor.
Proton’s report cites sobering examples from 2025, including PhoneMondo, a five-person team in Germany that saw over 10.5 million records exposed, and Tracelo, a US-based tracking app that leaked 1.4 million records. In both cases, the size of the company did not protect the huge amount of customer data they had.
Since most SMBs are not set up to survive a major cyber attack, the consequences, from GDPR fines to a total loss of consumer trust, can be fatal for a young business.
How to “build privately”
To combat this, Proton encourages startups to “build private”. This initiative pushes founders to integrate privacy into their activities from day one, instead of screwing it up after a breakup.
Raphael Auphan, COO of Proton, notes that while consumers understand privacy, it can be harder to convey to startup founders when widely used big tech tools prioritize speed.
“I cannot stress enough to founders and business owners the importance of pausing to make the conscious choice to ‘build private,'” adds Auphan.
If you run a small business, Proton’s report suggests three critical controls to prevent you from becoming a statistic in 2026:
- Remove reusable credentials: Move away from shared passwords. Use passkeys or a dedicated password manager to generate unique, strong logins. Enforce Multi-Factor Authentication (MFA) everywhere.
- Make your entry: Do not allow all employees to access all files. Centralize your access paths using business VPNs to create a single private gateway. This ensures that even if one device is compromised, the attacker cannot move laterally across your entire network.
- Encrypt everything: Encryption does not stop attacks, but it renders the stolen data unusable. Make sure your email, cloud storage and calendar tools use end-to-end encryption so only you have the keys.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
