TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources CYBERATTACKS & DATA BREACHES Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know. Processes and Culture Top Reasons Behind Data Breaches Government leaders revealed that, in spite of state laws meant to improve cyber hygiene, an analysis of incidents showed issues persist and visibility falls short. Arielle Waldman,Features Writer,Dark Reading May 20, 2026 6 Min Read Municipal leaders, utility personnel, and even one retired city auditor were eager to learn which cyber threats are targeting local governments, and more importantly how to address them because, as one panelist emphasized: "Nowadays, you will eventually be hit." Massachusetts state officials and technology specialists gathered to discuss the findings of a new study that examined all the breaches in 2024 against MA residents and found some troubling security gaps persist. Those same gaps – weak passwords and insufficient patch management - affect businesses nationwide. The threat vectors also echoed what vendors, like Verizon Business' Data Breach Investigation reports, have been saying for years: System intrusions and internet-facing vulnerabilities are how attackers gain access. MassCyberCenter, a state cyber security resource, hosted its sixth annual Massachusetts Municipal Cybersecurity Summit featuring a panel with its director, John Petrozzeli; Layla D'Emilia, undersecretary of the Office of Consumer Affairs and Business Regulation (OCABR); and Jared Rinehimer, division chief of privacy and responsible technology for the Office of the Attorney General. The panelists, moderated by Dave Balcar, cyber evangelist at NeXasure, discussed findings from a joint report from OCABR and the Business Regulation MassCyberCenter, "Examining the Impact of Data Breaches in Massachusetts" Related:Windows Zero-Day Barrage Continues After Patch Tuesday For starters, while a peek into Massachusetts breaches helps defenders, the numbers are likely skewed. Underreporting is an issue the panelists highlighted at length while discussing the 2024 report as well as 2026 challenges. Underreporting is more predominant among private companies, revealed Balcar. Financial services, healthcare, and banking represented the top industries affected by breaches. Balcar kicked off the panel with one critical question: What's keeping people from reporting? Following a breach, it does take time for organizations to figure out exactly what happened, and what was breached, explained D'Emilia. But transparency is also key so that consumers are in the know – a point she reiterated throughout the session. LOADING... The U.S. has no federal law mandating reporting of cyber breaches. States including Massachusetts, California and New York have passed consumer data protection and privacy legislation, so regulations vary. The Massachusetts Office of the Attorney General requires organizations to "provide notice, as soon as practicable and without unreasonable delay" following a data breach. Filings must include the nature of the breach, whether it involved unauthorized access, the number of affected residents, type of compromised information, confirmation of a written security program, and all the steps the agency has taken related to the incident. Related:Fuel Tank Breaches Expand Scope of Iran's Cyber Offensive "We hear a lot, 'We don't actually know what was accessed', and that's why they aren't filing the breach, and we say 'That's okay, you can update your filing but you need to at least abide by the law and get us the information for what you have today,'" she said. 'They're Actively Avoiding Reporting' Sometimes, organizations don't realize they have an obligation to report, "which is not great and probably why we're here" Rinehimer added. Rinehimer said he often sees a delay between the incident and reporting, and attributed that to how much personal information organizations store. An incident response investigation may require teams to scour through every single email account (some people may have many accounts) to determine whose information was affected. This takes a long time, although the process is getting faster these days, he noted. But sometimes it's none of the above. It's simply a refusal to report. Organizations may know they have an obligation by law, but hold back reporting because they are worried about liability, he explained. Related:Congress Puts Heat on Instructure After Canvas Outage "Don't do that,” Rinehimer warned. “Uber did that and it did not end well." The Chief Security Officer of the ride-share company faced federal felony charges for concealing a 2016 breach. He was eventually sentenced to probation, but Uber faced millions in fines and legal settlements. Transparency is a “Legit” Problem Consumers deserve to know what happened to their data and how an organization responds to a breach following an incident, said the panelists. They need to know what was affected, whether that means Social Security numbers, date of birth, or even more sensitive data, like health information. Once they receive a data breach notification, they can take next steps to protect bank accounts, change compromised passwords, or sign up for free credit monitoring. "For transparency, it's really important in our world for consumers to know," D'Emilia said. "This is legit." But the implications are bigger than that. Boosting reporting transparency helps defenders, because patterns emerge that organizations can learn from in the long run – whether private or public. Patterns, tactics, and insights derived from the report highlight how timely and consistent reporting helps create a fuller picture of a specific threat landscape. In this case, the state of Massachusetts’ findings also speak to broader threat intelligence. Data points from the inaugural report showed people and processes constituted "two major hangups with a lot of the breaches," warned Petrozzeli. Identity and access management was one area where organizations really struggled, and that isn't just a Massachusetts problem. Multifactor authentication [MFA] was not implemented in places and "passwords were ridiculously not implemented properly," Petrozzeli said. He cited how commonly organizations used "123456" to protect sensitive data. The report identified insufficient patch management as another common thread. Many data points showed how common system intrusions that stemmed from internet-facing vulnerabilities occurred. Fraudsters Stay One Step Ahead Processes and culture were a big part of the problem, Petrozzeli added. Many victim organizations only bolstered security protocols after a breach. In some cases, that meant enforcing a more complex password policy – a measure implemented after the fact in 20% to 30% of incidents, he added. "It's like: How are you not doing that now?" he asked. Technology plays a significant role, but it still returns to the processes and people, Petrozzeli said. "Do you have leaders who decide it's important to spend money on cyber or do they not?" he posed. "Or do you have other leaders say, 'We're too small to be hit by these groups.' You're not too small, you're just lucky. Nowadays, you will eventually be hit." With that in mind, OCABR implemented MFA and instituted a password policy that requires employees to change theirs every 90 days. Mandatory annual training is another security measure. If employees don't take it, admins shut down their computer – and they've followed through on that promise, D'Emilia said. However, security protocols need to continue to improve because "fraudsters are so far ahead of us" D'Emilia warned. She warned policy can't keep up with advanced threat actors. For example, threat actors sent texts to three OCABR employees' personal phones after learning they worked for the banking department. The texts impersonated the head of banking, but luckily the employees didn't fall for it. That isn't always the case. "They're sort of one step ahead of us," she said. "Everything is online so it's easy for attackers to see who works where and for who, and who to manipulate." About the Author Arielle Waldman Features Writer, Dark Reading Arielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, providing context and actionable steps. She looks for stories that go past the initial news to understand where the industry is going. Her coverage areas include identity and access management, cyber risk and operations, industrial control systems, operational technology, and ransomware trends. She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at TechTarget SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management Access More Research Webinars AI-Powered Cybersecurity for Resource-Constrained Organizations AI-Powered Credential Security: Intelligence Without Exposure How Security Teams should apply Threat Intelligence into their Defenses Your Guide to Securing AI Adoption in Your Organization What is the Right Role for