April 2026 has been a rough month for major corporations and their customers. Three high-profile data breaches made headlines, each exposing different types of data and exploiting different weaknesses. Here is what happened, why it matters to your business, and what you should be doing about it.

What Happened

Adobe — A threat actor claimed responsibility for breaching Adobe’s systems, exposing an estimated 13 million customer support tickets, 15,000 employee records, internal company documents, and submissions from Adobe’s bug bounty program. The breach exposed the kind of data companies rarely think about protecting: support conversations that contain account details, internal workflows, and security vulnerability reports.

Booking.com — The travel platform notified customers in mid-April that reservation details had been compromised. The exposed data included full names, addresses, booking dates and details, email addresses, phone numbers, and special requests made to hotels. This is exactly the kind of information that makes phishing emails convincing — an attacker who knows where you stayed, when, and what you requested can craft a follow-up email that looks completely legitimate.

Basic-Fit — One of Europe’s largest gym chains disclosed a breach affecting 200,000 members in the Netherlands, including bank details for up to 1 million members. The unauthorized access was detected and contained within minutes — but minutes was all it took to exfiltrate a significant volume of financial data.

Why This Matters for Small Businesses

The instinct for most small business owners is to read stories like these and think: “We are too small to be a target.” That instinct is wrong, and here is why.

You are already in the blast radius. If your business uses Adobe products, Booking.com for travel, or any similar platform, your data may be part of these breaches right now. Your employees’ email addresses, names, and account details from these services are now circulating on dark web marketplaces. Attackers will use that information to craft targeted phishing emails — not against Adobe, but against you.

Small businesses are easier targets. Adobe, Booking.com, and Basic-Fit all have dedicated security teams, enterprise security tools, and incident response plans. They still got breached. The difference is they can absorb the hit. A 20-person law firm or architecture firm that suffers a ransomware attack because an employee clicked a phishing link using credentials exposed in one of these breaches? That could be a business-ending event.

The attack chain starts with stolen data. These breaches do not happen in isolation. Data stolen from Adobe is combined with data stolen from Booking.com, cross-referenced with data from earlier breaches, and used to build detailed profiles of individuals. An attacker who knows your name, email, employer, travel schedule, and software subscriptions can craft a phishing email that is virtually indistinguishable from a legitimate message.

What You Should Do Right Now

You cannot prevent Adobe or Booking.com from getting breached. But you can control what happens when that stolen data is used against your business:

• Enable MFA everywhere. Multi-factor authentication on every business account — email, VPN, cloud applications, banking. If a password is stolen in a breach, MFA stops the attacker from using it. This is the single most impactful thing you can do.
• Deploy advanced email security. Basic spam filtering does not catch modern phishing emails, especially ones crafted with stolen personal data. AI-powered email security tools analyze sender behavior, link destinations, and message context to catch what traditional filters miss.
• Run dark web monitoring. Services that scan dark web marketplaces for your business domain can alert you when employee credentials appear in breach databases. You cannot fix what you do not know about.
• Train your team. Security awareness training that includes regular phishing simulations teaches employees to recognize sophisticated attacks — including ones that use personal details stolen from breaches like these.
• Have an incident response plan. If an employee does click a phishing link, does your team know what to do? Who to call? How to contain the damage? A documented plan reduces response time from hours to minutes.

The Lesson

The lesson from April 2026 is not that security is hopeless. It is that your security strategy should assume that breaches at the companies you do business with are inevitable. Your defense needs to protect your business even when the platforms you depend on fail to protect theirs.

That means layered security: MFA so stolen passwords are useless, email protection so phishing emails are caught, dark web monitoring so you know when you are exposed, training so your team recognizes attacks, and an incident response plan so you can respond quickly when something gets through.