Processes and Culture Top Reasons Behind Data Breaches TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsCybersecurity OperationsInterpol's 'Operation Ramz' Pioneers Cross-Region Collabs in Middle EastInterpol's 'Operation Ramz' Pioneers Cross-Region Collabs in Middle EastbyRobert LemosMay 20, 20264 Min ReadThreat IntelligenceVerizon DBIR: Enterprises Face a Dangerous Vulnerability GlutVerizon DBIR: Enterprises Face a Dangerous Vulnerability GlutbyAlexander CulafiMay 19, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyberattacks & Data BreachesCybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.Processes and Culture Top Reasons Behind Data BreachesGovernment leaders revealed that, in spite of state laws meant to improve cyber hygiene, an analysis of incidents showed issues persist and visibility falls short.Arielle Waldman,Features Writer,Dark ReadingMay 20, 20266 Min ReadMunicipal leaders, utility personnel, and even one retired city auditor were eager to learn which cyber threats are targeting local governments, and more importantly how to address them because, as one panelist emphasized: "Nowadays, you will eventually be hit."Massachusetts state officials and technology specialists gathered to discuss the findings of a new study that examined all the breaches in 2024 against MA residents and found some troubling security gaps persist. Those same gaps – weak passwords and insufficient patch management - affect businesses nationwide. The threat vectors also echoed what vendors, like Verizon Business' Data Breach Investigation reports, have been saying for years: System intrusions and internet-facing vulnerabilities are how attackers gain access. MassCyberCenter, a state cyber security resource, hosted its sixth annual Massachusetts Municipal Cybersecurity Summit featuring a panel with its director, John Petrozzeli; Layla D'Emilia, undersecretary of the Office of Consumer Affairs and Business Regulation (OCABR); and Jared Rinehimer, division chief of privacy and responsible technology for the Office of the Attorney General. The panelists, moderated by Dave Balcar, cyber evangelist at NeXasure, discussed findings from a joint report from OCABR and the Business Regulation MassCyberCenter, "Examining the Impact of Data Breaches in Massachusetts" Related:Windows Zero-Day Barrage Continues After Patch TuesdayFor starters, while a peek into Massachusetts breaches helps defenders, the numbers are likely skewed. Underreporting is an issue the panelists highlighted at length while discussing the 2024 report as well as 2026 challenges.Underreporting is more predominant among private companies, revealed Balcar. Financial services, healthcare, and banking represented the top industries affected by breaches. Balcar kicked off the panel with one critical question: What's keeping people from reporting? Following a breach, it does take time for organizations to figure out exactly what happened, and what was breached, explained D'Emilia. But transparency is also key so that consumers are in the know – a point she reiterated throughout the session. The U.S. has no federal law mandating reporting of cyber breaches. States including Massachusetts, California and New York have passed consumer data protection and privacy legislation, so regulations vary. The Massachusetts Office of the Attorney General requires organizations to "provide notice, as soon as practicable and without unreasonable delay" following a data breach. Filings must include the nature of the breach, whether it involved unauthorized access, the number of affected residents, type of compromised information, confirmation of a written security program, and all the steps the agency has taken related to the incident.    Related:Fuel Tank Breaches Expand Scope of Iran's Cyber Offensive"We hear a lot, 'We don't actually know what was accessed', and that's why they aren't filing the breach, and we say 'That's okay, you can update your filing but you need to at least abide by the law and get us the information for what you have today,'" she said.'They're Actively Avoiding Reporting'  Sometimes, organizations don't realize they have an obligation to report, "which is not great and probably why we're here" Rinehimer added. Rinehimer said he often sees a delay between the incident and reporting, and attributed that to how much personal information organizations store. An incident response investigation may require teams to scour through every single email account (some people may have many accounts) to determine whose information was affected. This takes a long time, although the process is getting faster these days, he noted. But sometimes it's none of the above. It's simply a refusal to report. Organizations may know they have an obligation by law, but hold back reporting because they are worried about liability, he explained. Related:Congress Puts Heat on Instructure After Canvas Outage"Don't do that,” Rinehimer warned. “Uber did that and it did not end well."The Chief Security Officer of the ride-share company faced federal felony charges for concealing a 2016 breach.  He was eventually sentenced to probation, but Uber faced millions in fines and legal settlements. Transparency is a “Legit” ProblemConsumers deserve to know what happened to their data and how an organization responds to a breach following an incident, said the panelists. They need to know what was affected, whether that means Social Security numbers, date of birth, or even more sensitive data, like health information. Once they receive a data breach notification, they can take next steps to protect bank accounts, change compromised passwords, or sign up for free credit monitoring."For transparency, it's really important in our world for consumers to know," D'Emilia said. "This is legit."  But the implications are bigger than that. Boosting reporting transparency helps defenders, because patterns emerge that organizations can learn from in the long run – whether private or public.     Patterns, tactics, and insights derived from the report highlight how timely and consistent reporting helps create a fuller picture of a specific threat landscape. In this case, the state of Massachusetts’ findings also speak to broader threat intelligence. Data points from the inaugural report showed people and processes constituted "two major hangups with a lot of the breaches," warned Petrozzeli.Identity and access management was one area where organizations really struggled, and that isn't just a Massachusetts problem. Multifactor authentication [MFA] was not implemented in places  and "passwords were ridiculously not implemented properly," Petrozzeli said. He cited how commonly organizations used "123456" to protect sensitive data. The report identified insufficient patch management as another common thread. Many data points showed how common system intrusions that stemmed from internet-facing vulnerabilities occurred.  Fraudsters Stay One Step AheadProcesses and culture were a big part of the problem, Petrozzeli added. Many victim organizations only bolstered security protocols after a breach. In some cases, that meant enforcing a more complex password policy – a measure implemented after the fact in 20% to 30% of incidents, he added. "It's like: How are you not doing that now?" he asked.Technology plays a significant role, but it still returns to the processes and people, Petrozzeli said.  "Do you have leaders who decide it's important to spend money on cyber or do they not?" he posed. "Or do you have other leaders say, 'We're too small to be hit by these groups.' You're not too small, you're just lucky. Nowadays, you will eventually be hit."With that in mind, OCABR implemented MFA and instituted a password policy that requires employees to change theirs every 90 days. Mandatory annual training is another security measure. If employees don't take it, admins shut down their computer – and they've followed through on that promise, D'Emilia said.  However, security protocols need to continue to improve because "fraudsters are so far ahead of us" D'Emilia warned. She warned policy can't keep up with advanced threat actors. For example, threat actors sent texts to three OCABR employees' personal phones after learning they worked for the banking department. The texts impersonated the head of banking, but luckily the employees didn't fall for it. That isn't always the case."They're sort of one step ahead of us," she said. "Everything is online so it's easy for attackers to see who works where and for who, and who to manipulate." About the AuthorArielle WaldmanFeatures Writer, Dark ReadingArielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, providing context and actionable steps. She looks for stories that go past the initial news to understand where the industry is going. Her coverage areas include identity and access management, cyber risk and operations, industrial control systems, operational technology, and ransomware trends.    She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at TechTarget SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection.   See more from Arielle WaldmanWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security ManagementAccess More ResearchWebinarsAI-Powered Cybersecurity for Resource-Constrained OrganizationsAI-Powered Credential Security: Intelligence Without ExposureHow Security Teams should apply Threat Intelligence into their DefensesYour Guide to Securing AI Adoption in Your OrganizationWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?More WebinarsEdge PicksApplication SecurityAI Agents in Browsers Light on Cybersecurity, Bypass ControlsAI Agents in Browsers Light on Cybersecurity, Bypass ControlsCyber RiskBrowser Extensions Pose Heightened, but Manageable, Security RisksBrowser Extensions Pose Heightened, but Manageable, Security RisksLatest Articles in The EdgeCybersecurity AnalyticsWhat Will Make AI BOMs Real?May 19, 2026|3 Min ReadCyber RiskCheckbox Assessments Aren't Fit to Measure RiskMay 13, 2026|5 Min ReadCyber RiskResearch Hub Bridges Cybersecurity Gap for Under-Resourced OrganizationsMay 5, 2026|4 Min ReadCybersecurity OperationsAnthropic's Mythos Has Landed: Here's What Comes Next for CyberApr 30, 2026Read More The EdgeWant more Dark Reading stories in your Google search results?Black Hat Asia | Marina Bay Sands, SingaporeExperience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

Government leaders have revealed that despite the existence of state laws intended to enhance cybersecurity hygiene, persistent issues and insufficient visibility remain a challenge in addressing cyber incidents. A study examining breaches in Massachusetts indicated that security gaps like weak passwords and inadequate patch management affect businesses nationwide, highlighting that the threat vectors utilized by attackers often involve system intrusions and internet-facing vulnerabilities, consistent with reports from vendors like Verizon Business.

A panel discussion featuring government officials and technology specialists explored these findings, emphasizing that the difficulty in achieving full transparency is rooted in organizational reluctance to report. While organizations have legal obligations to provide notice following a data breach, there is often a delay in reporting, which panelists attributed to the time required for incident response investigations, especially when auditing numerous email accounts to determine the scope of affected information. Furthermore, some organizations actively avoid reporting due to concerns over liability, demonstrating that transparency remains a challenge.

Consumers deserve a thorough understanding of data breaches and organizational responses, as transparency is crucial for enabling protective measures, such as changing passwords or seeking credit monitoring. The failure to report, whether due to a lack of knowledge of obligations or fear of legal repercussions, obscures the patterns, tactics, and insights necessary for effective long-term threat intelligence gathering.

The specific data points from the Massachusetts investigation pointed to fundamental organizational struggles, identifying people and processes as major obstacles to effective security. Identity and access management was identified as a significant area of difficulty, with many organizations failing to implement multifactor authentication or properly enforce password policies, with common weak password practices persisting. Insufficient patch management was also a common thread, underscoring the vulnerability introduced by known internet-facing weaknesses.

The analysis further stressed that processes and culture played a significant role in the breaches. Many organizations only implemented enhanced security protocols after a breach occurred, for instance, enforcing complex password policies retrospectively in a minority of incidents. This reactive approach neglects the underlying leadership structure; the question of whether leaders prioritize spending on cybersecurity or mistakenly believe they are sufficiently protected is central to the problem. Although measures like mandatory annual training and implementing multi-factor authentication have been introduced by regulatory bodies, the continuous evolution of threat actors means that policies must constantly adapt because adversaries are continually advancing. The text warns that policy alone cannot keep pace with sophisticated threat actors who exploit the interconnected online environment to map out organizational structures and manipulate personnel.