Monday , July 13 2026

Majority of US IT Pros Told to Keep Quiet About Data Breaches

While an increasingly number of regulations have made the reporting of data breaches mandatory, a majority of IT professionals in the United States say they have been told to keep quiet about an incident, potentially running afoul of legal requirements.

In a survey released last week, 42% of the more than 400 IT and security professionals surveyed — and 71% of those in the United States — maintain that they have been instructed to keep a data breach confidential when they knew the incident should be reported. Three in 10 of those surveyed have acquiesced and not reported the breach, according to the “2023 Cybersecurity Assessment Report,” published by cybersecurity firm Bitdefender.

Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Global ransomware attacks stayed very high in the first seven months of 2026. There were 5,064 confirmed victims in 135...
Read More
Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Palo Alto Networks Addresses 13 Vulnerabilities

Palo Alto Networks shared warnings on Wednesday about over twelve security issues in its products. The new warnings include 13 security...
Read More
Palo Alto Networks Addresses 13 Vulnerabilities

Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

A critical flaw with how Dell saves BIOS passwords lets anyone quickly recover these passwords from a flash dump without...
Read More
Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

CoLoCity is proud to launch a new Data Center in Gulshan-2. It is designed to meet the growing demand for...
Read More
CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

Daily Cyber security update for 10. 07. 2026

Cyberattacks are rising around the world, including ransomware, malware, data leaks, and hacked websites. These events show how complex and...
Read More
Daily Cyber security update for 10. 07. 2026

How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

A major AWS attack shows how attackers with AI can connect known cloud strategies to go from first access to...
Read More
How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

Mycelium Framework: First AI-as-a-Service Botnet

A new cybercrime ad is catching attention in the security world. It talks about a botnet that doesn't just get...
Read More
Mycelium Framework: First AI-as-a-Service Botnet

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI agents as more organizations use...
Read More
CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

A critical flaw in Google Cloud Platform’s Dialogflow CX lets attackers add harmful code to a company's AI chatbot system....
Read More
Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh. In an advisory CIRT said, the campaign has been observed globally,...
Read More
CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

The pressure to keep silent on a potential breach of data not only puts companies at risk of fines and penalties but could place workers at risk as well. In reality, the decision to disclose a breach or not should rest with the executive teams, says Martin Zugec, technical solutions director at Bitdefender.

“If I’m an IT administrator, and maybe security is not even my full-time job, it’s really hard for me to say if we do have the requirement to disclose or not,” he says. “So the responsibility for security should start with executives, with the leadership of the company, and they should be involved in the decision to disclose.”

The impetus to not report a breach is certainly not new. In 2018, for example, a similar survey found that 84% of cybersecurity professionals expected timely notification of a breach, but only 37% of the same group put an emphasis on the expeditious notification of a breach to their customers. In perhaps the most notorious example, a jury found Joe Sullivan, the former CSO of Uber, guilty of obstruction of justice and a related charge last year for his cover-up of a data breach in 2016.

Regulatory Chaos Leads to Problems in United States

While an increasing number of regulations require that companies disclose, those regulations are unfortunately not consistent. That’s especially true in the United States, where a large company will find itself having to comply with 50 jurisdictions, federal regulations, and industry-specific regulations, says Bryan Cunningham, former deputy legal adviser to Condoleezza Rice when she was national security adviser, and now an adviser with Theon Technology. To boot, many companies have customers in Europe, which places them under requirements of the GDPR.

“There are sometimes instances of data handling where it’s literally impossible to comply with the European Union laws and US laws at the same time,” he says. “So the internal people at these companies are torn in a bunch of different directions.”

The European Union’s integrated approach to data security creates a consistent blanket of requirements compared with the United States and its hodgepodge of state, federal, and industry regulations regarding privacy and data protection — which perhaps leads to better disclosure stats.

Three-quarters of respondents in the US (75%) experienced a data breach in the last 12 months, while 51% of respondents in the United Kingdom, 49% in Germany, and even fewer in Italy, Spain, and France experienced a data breach. Yet, compared with the 71% of respondents in the United States who were instructed to keep a breach quiet, just 44% of respondents in the United Kingdom said the same, 37% in Italy, and less than 35% in Germany, Spain, and France, according to the “2023 Cybersecurity Assessment Report.”

“We need to make it much clearer who’s supposed to do what and when, which is why I believe that initiatives like the GDPR are making us, as a whole society, much safer,” Zugec says. “The model of individual responsibility that we have it set up today [in the US], we are running into its limits.”

Penalties Depend on Jurisdiction, Details

The penalty for failing to report a data breach varies widely by the jurisdiction and the specifics of the case, says Kevin Tunison, data protection officer for Egress, an email security provider. In the case of Uber’s security chief, Sullivan, the company paid hackers $100,000 through a bug bounty program to keep quiet about the breach, and the CEO approved of the action.

“There must be disagreement in a healthy culture to debate whether an incident is reportable — if everyone agreed, there would be no need for data protection legislation,” Tunison says. “Lastly and most importantly, human error is no longer an excuse a business can fall back on. It is the responsibility of every organization to take reasonable and cost-effective steps to avoid the avoidable.”

In the US, the criminal code, Title 18, has a variety of potential charges that could be leveled against a person who hindered a data breach investigation, including by not reporting the original incident as required. In the EU, of the 27 countries signed onto the GDPR, 10 have prison terms as a potential penalty for criminal liability.

“Depending on the jurisdiction(s) the company operates in, the risks can be as significant as life in prison,” Tunison says.

The good news is that companies appear to be changing directions, especially in the wake of the Sullivan case. While small and midsize enterprises may not have received the memo because they typically are not the target of enforcement actions and lawsuits, the largest firms around the world are starting to work with governments and asking for more homogenous regulations, says Theon Technologies’ Cunningham.

“I think there is a pretty significant cultural shift among certainly publicly traded companies and regularly regulated companies, that the days of being able to bury this stuff are over,” he says. “Even the wisdom of doing that has been completely reevaluated.”

Check Also

CLI

Azure CLI Password Spray Impacts 78 Microsoft Accounts in 81M+ Attempts

Cybersecurity researchers have warned of a “massive, ongoing, automated password spray attack” aimed at Microsoft’s …