- Proton recorded 794 major breaches in 2025, exposing 306+ million records
- 71% of breaches affected small- and medium-sized businesses
- Proton urges startup founders to "build in private"
If you are a startup founder, you might assume your business is too small, too new, or too obscure to attract the attention of cybercriminals. You would also be wrong.
According to a new report from Swiss privacy giant Proton – the provider behind one of the best VPN and secure email services – early-stage companies are becoming a primary target for hackers.
Data sourced from Proton's Data Breach Observatory reveals that 794 significant breaches occurred in 2025 alone, exposing a staggering 306.1 million records. While massive corporations often dominate the headlines, Proton found that 71% of breaches actually affected small- and medium-sized businesses.
The "too small to hack" myth is dead
Cybercriminals are looking for the path of least resistance, and increasingly, that path leads to small businesses that hold valuable intellectual property (IP) but lack the dedicated security teams of a Global 500 enterprise.
The report identifies a dangerous mindset among European entrepreneurs: the prioritization of speed over security.
"In startup circles, 'speed wins,' and security can be seen as a hindrance to that speed. This can result in missing crucial steps when securing a business," said Patricia Egger, Head of Security at Proton.
The report highlights that access is often the first target. Nearly half (49%) of the breaches tracked involved compromised passwords. For a small team using shared logins over Slack or saving credentials in browsers, a single slip-up can hand the keys to the entire kingdom to a threat actor.
Proton’s report cites sobering examples from 2025, including PhoneMondo, a five-person team in Germany that saw over 10.5 million records exposed, and Tracelo, a US-based tracking app that leaked 1.4 million records. In both cases, the size of the company didn't protect the massive amount of customer data they held.
As most SMBs aren't set up to survive a major cyberattack, the consequences, ranging from GDPR fines to total loss of consumer trust, can be fatal for a young company.
How to "Build in Private"
To combat this, Proton is urging startups to "build in private." This initiative pushes founders to embed privacy into their operations from day one, rather than bolting it on after a breach occurs.
Raphael Auphan, COO of Proton, notes that while consumers understand privacy, it can be harder to convey to founders of startups when widely adopted big tech tools prioritize speed.
"I cannot stress enough to founders and business owners the importance of pausing to make the conscious choice to 'build in private'," Auphan adds.
If you are running a small business, Proton’s report suggests three critical controls to stop you from becoming a statistic in 2026:
- Eliminate Reusable Credentials: Move away from shared passwords. Use passkeys or a dedicated password manager to generate unique, strong logins. Enforce Multi-Factor Authentication (MFA) everywhere.
- Gate Your Access: Don't let every employee access every file. Centralize your access paths using business VPNs to create a single private gateway. This ensures that even if one device is compromised, the attacker cannot move laterally across your entire network.
- Encrypt Everything: Encryption doesn't stop attacks, but it makes the stolen data useless. Ensure your email, cloud storage, and calendar tools use end-to-end encryption so that only you hold the keys.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.