This problem might occur with personal email addresses that my friends have, their computers somehow get infected with viruses or compromised and they get hold of my personal email. But when a specific alias used specifically for a given service receives spam, it means that the company's database has been compromised and my address was obtained from that organization.
The issue is these companies also retain customer info besides email addresses that might also be compromised.
This is truly the result is mediocre software practices, where passwords and important customer information are stored in plain text. Organizations that retain customer information must become liable for any breach of information if they don't provide sufficient security to the customer data. If you are not able to maintain the database with sufficient security measures then don't keep the customer data, you are simply not worthy of retaining that data.