I’m never one to victim-blame after a breach. Security is hard, social engineering always works eventually, and risk management is genuinely complex. Unless an org was WILDLY negligent, I’m a big believer in not shaming them for getting breached.

That said, the moment a breached org describes the breach as being the result of a “sophisticated” attack, every neck hair I have stands on end and I prepare to retract the benefit of the doubt. Because 99% of the time*, that “sophistication” was a kid claiming to be the county password inspector in an email or some shit.