My hypothesis would be that companies with poor operational practices are more likely to underperform the index and have data breaches - in other words, that the study confuses cause and effect.
This wouldn't be that hard to test. I suspect that the breached companies underperformed in the six months before the breach as well as the six months after.
Also, events which are not "just" data-leaks but also interruptions or degradation in regular operations. I suspect investors may be more sensitive to those events and their fallout, and such events more likely to either be caused by bad-practice or to be somehow connected to data-leaks.
This wouldn't be that hard to test. I suspect that the breached companies underperformed in the six months before the breach as well as the six months after.