Every year, cybercriminals discover new ways to steal money and data from businesses. Breaking into business networks, extracting sensitive data, and selling it on the dark web has become a reliable source of income.
But in 2025, data breaches affecting small and medium-sized businesses (SMBs) challenged our conventional wisdom about exactly what types of businesses cybercriminals target.
This article outlines the lessons learned from the major data breaches of 2025 and the most effective ways small businesses can protect themselves next year.
Investigate data breaches in 2025
Before 2025, large companies were popular targets for hackers due to their rich resources. It was believed that small businesses were simply less vulnerable to cyberattacks because they were less valuable to attack.
But a new security study by Data Breach Observatory shows that things are changing. Small and medium-sized businesses (SMBs) are now more likely to be targeted. This change in strategy was caused by large companies investing in cybersecurity and refusing to pay ransoms. Cybercriminals are less likely to attack these companies and extract anything of value from them, so they are turning to small and medium-sized businesses instead.
Attacking small businesses may cost less, but cybercriminals can make up for it by increasing the volume of their attacks. Small and medium-sized businesses have fewer resources to protect their networks, making them more reliable targets. Four out of five small businesses have recently experienced a data breach.
Examining some of these data breaches and the companies affected by them reveals patterns and helps identify failures. The three major SMB data breaches in 2025 are:
- tracero — More than 1.4 million records stolen from this American mobile geolocation business have surfaced on the dark web following an attack from a hacker known as Satanic. Customer names, addresses, phone numbers, email addresses, and passwords are all available for sale.
- phone mondo — The German telecommunications company was breached by hackers and more than 10.5 million records were stolen and posted online. Customers’ names, dates of birth, addresses, phone numbers, email addresses, usernames, passwords, and IBANs were all included in the black ops.
- Skiro Villa — The 60-person team behind this Indian edtech platform failed to protect extensive customer data collected by the platform, resulting in more than 33 million records being leaked to the dark web. Customer names, addresses, phone numbers, and email addresses were all found online.
What can we learn?
By looking at these specific breaches and considering the broader data breach landscape, we can identify the trends that shaped 2025.
- Small and medium-sized businesses were the top targets for hackers in 2025, accounting for 70.5% of data breaches identified by data breach watchdogs. This means that companies with 1 to 249 employees are most vulnerable to cybersecurity breaches year-round.
- Retail, technology companies, and media/entertainment companies were most frequently targeted.
- Names and contact information are the most common records displayed on the dark web, increasing the risk of phishing attacks targeting employees. Names and emails appeared in 9 out of 10 data breaches.
Given these trends, hackers are likely to continue targeting small businesses in the new year. If your organization falls into this category, you may be at increased risk of a data breach.
However, it is not inevitable. You can protect your organization by considering your business’s sensitive data, how you store it, and what you use to protect it.
How to avoid data breaches in 2026
Avoiding a data breach doesn’t have to be expensive or complicated, as long as your business takes the right approach and finds the right tools.
Adopt two-factor authentication
If all you need to access one of your business tools is a username and password, your network is much easier to compromise. Two-factor authentication (2FA) makes access difficult for unauthorized individuals.
Introducing a second authentication method, such as an OTP code, security key, or biometric login, not only reduces the time it takes to authenticate and authorize a system, but also increases the barrier to entry.
Secure access control to your network
The principle of least privilege is a method used to determine who has access to which business tools and data. This stipulates that specific team members should only have access to the information they need to perform their roles. This access control approach protects your organization by reducing the number of entry points into your network.
If access is granted to strictly necessary team members, that access should be protected with good password hygiene. This includes creating strong passwords, not reusing passwords across multiple accounts, and ensuring companies are notified if their data appears on the dark web. A strong, enforceable password policy supports good password hygiene and can ensure that business data is regularly scanned on the dark web using tools and services such as password managers.
Keep sensitive data safe
If passwords and email addresses are compromised, employees are at increased risk of being targeted by phishing attacks and having their accounts compromised. Even one compromised account can lead to a data breach.
Employ a secure business password manager to create a single, secure repository for all your business credentials. A password manager allows all team members to securely generate strong passwords that meet your company’s password policies, autofill passwords on frequently visited websites and apps, and securely share credentials when needed. This protects all of these critical entry points into your business network.
