> Can we really victim-blame someone for falling for an attack

The victims may well be those who are potentially endangered by the leakage of information caused by the decision maker. Regardless of that hypothetical, the person responsible for the leak is not the victim.

If you deal with highly confidential information in your day-to-day work, you should be held accountable for keeping it confidential. This is nothing new in the corporate world, so I don't see why public officials should be held to different standards.

Remember: It was apparently a phishing attack. Someone literally asked her for her credentials. It is within the capabilities of an adult to refrain from handing out important information when asked in a no trust environment. If that's truly beyond their capabilities, they should consider another profession.

I'm not arguing for a witch-hunt or anything against this specific person. Learnings should be constructive and this could have happened to many other public officials. Just, maybe.. if you or I breach protocol, let's not call us the victims.

Media education would be a great start.