What are some potential consequences of publicizing a security incident?

I would say it depends on the severity of the breach, i.e., if the breach doesn’t affect privacy or customer data and get resolved quickly, then no need to publicize. However, if the breach significantly affects PII or other sensitive data, then you have no choice but to inform the affected data owners.

Publicizing the breach will have a negative effect on the company reputation and potentially announcing/exposing weaknesses in the company’s security posture to the public.

This is a balancing act, that every organization should develop a plan to handle this type of situation.

When we had a security incident, the interesting thing for us was that we went public on day one and said, "We're in trouble, we're working through it." The quality of phishing emails we received after that went way up. They used to be things that anyone can spot as a fake, and suddenly they were close enough that people had to call their bosses to verify if their superior had actually sent them a message. The phishing messages were perfect down to the pixel, because we’d painted the biggest target on our back.

Companies are trying to pay ransoms to hackers covertly, but their payments are recorded in blockchain or in Bitcoin, which is viewable. All the other bad actors are looking at who's paying these ransoms, and they're just going after those companies again and again.