Troy Hunt: 1,000 Data Breaches Later, the Disclosure Lag Is Worse Than Ever
#Security

Troy Hunt: 1,000 Data Breaches Later, the Disclosure Lag Is Worse Than Ever

Security Reporter
5 min read

Troy Hunt reflects on hitting the 1,000‑breach milestone for Have I Been Pwned, exposing a troubling trend: organizations are taking weeks or months to tell customers about leaks, often because legal risk outweighs consumer protection.

1,000 Breaches and Still Waiting for a Notification

Featured image

When Troy Hunt added the 1,000th breach to Have I Been Pwned (HIBP), the celebration was muted. Instead of a fireworks‑style press release, Hunt asked a simple, uncomfortable question: Why do we still need breach disclosure when GDPR, CCPA, and dozens of other privacy laws have been around for over a decade? The answer, he argues, is that the disclosure lag—the time between a company learning of a breach and telling the people affected—has grown longer, not shorter.

The Carnival Example: A Six‑Week Blackout

On April 24, 2026, the hacking group ShinyHunters posted a dump of 8.7 million Carnival records on its dark‑web site. Within minutes the data appeared on clear‑web mirrors, Telegram channels, and numerous forums. HIBP flagged the breach the same day, showing that 85 % of the exposed email addresses were already searchable.

"The data was posted on the 24th, but Carnival didn’t announce the breach until May 27," Hunt noted on Twitter.

That 43‑day gap meant millions of passengers and loyalty‑program members were unaware that their personal details—names, birth dates, gender, location data, and loyalty points—were publicly available. When a customer finally called Carnival, the representative replied, "I’m in the breach per HIBP, but Carnival is telling me there’s no breach!".

What went wrong?

  1. Legal review first, notification second – Companies often wait for counsel to assess liability before informing users.
  2. Class‑action pressure – The threat of a massive lawsuit can make executives hesitant to admit exposure.
  3. Technical over‑analysis – Teams spend weeks combing through terabytes of exfiltrated data, looking for “the full scope” before sending a single email.

Zara and ZenBusiness: The Pattern Repeats

A week after Carnival, Zara suffered a ShinyHunters dump of 197 k unique email addresses, order IDs, and support tickets. HIBP flagged it on May 8, but Zara’s public acknowledgment came 45 days later.

Later, ZenBusiness was hit by the same extortion‑by‑leak model. After a victim asked for clarification, the company replied with a boilerplate legal statement: "If we determine that an incident resulted in the exposure of your protected PII, we will provide notice as legally required." To date, no individual notices have been sent.

Both cases illustrate a new normal: data is leaked, HIBP (or a similar service) flags it within days, but the breached organization remains silent for weeks, sometimes months.

Why Disclosure Lag Is Getting Worse

1. Litigation‑First Mindset

Rob Joyce, a privacy‑law specialist, summed it up after learning about his own exposure in the ZenBusiness breach: "That is not a customer‑protection posture. That is a litigation posture." When senior leadership’s primary fiduciary duty is to shareholders, the calculus shifts from “protect the consumer now” to “minimize legal exposure later.”

2. Regulatory Carve‑Outs

Many privacy regimes contain risk‑based exceptions that let companies delay notification:

  • UK GDPR – Requires notice without undue delay only if the breach is likely to result in a high risk to individuals.
  • Australia’s Notifiable Data Breaches scheme – Triggers notice only when serious harm is probable.
  • US state laws (e.g., CCPA) – Define “sensitive personal information” narrowly; if the leaked data doesn’t fall into that category, the organization can claim no statutory duty to inform.

In the Carnival, Zara, and ZenBusiness incidents, the leaked fields (email, name, loyalty details) do not meet the “special categories” thresholds, giving companies a legal loophole to stay silent.

3. Class‑Action Flood

A quick Google search for the DentaQuest breach returns three class‑action filings on the first page, two more a few results down. The sheer volume of potential lawsuits pushes legal teams to wait for a definitive risk assessment before any public statement, extending the lag.

Practical Takeaways for Security Professionals

  1. Treat Early Notification as a Risk‑Mitigation Tool – Even a brief email saying "We’ve detected a possible exposure of your email address. We’re investigating and will follow up” can reduce the window for attackers to exploit the data.
  2. Automate Email Extraction – HIBP shows it’s technically trivial to pull email addresses from a breach dump. Build scripts that parse leaked files and trigger a notification workflow within 24 hours.
  3. Document a “Fast‑Track” Disclosure Process – Create a playbook that separates initial alert (legal‑review‑free) from full forensic report. The first step should be a consumer‑facing notice, the second a detailed internal analysis.
  4. Engage Regulators Early – In many jurisdictions, proactive communication can be viewed favorably by data‑protection authorities, potentially reducing fines.
  5. Monitor HIBP and Similar Services – Set up alerts for your domain(s). If a breach appears there, you have credible evidence that the data is already public, which strengthens the case for immediate disclosure.

What Organizations Can Do Right Now

  • Publish a “Breach Notification Policy” on the public website, outlining the timeline (e.g., “We will notify affected individuals within 72 hours of verified discovery”).
  • Assign a “Disclosure Owner”—a person or team empowered to send the first email without waiting for senior‑level sign‑off.
  • Run Table‑Top Exercises that simulate a leak of email addresses only, to practice rapid, low‑effort notifications.
  • Track Disclosure Lag Metrics – Measure the days between first internal awareness and first external notice. Aim for a target of under 7 days for low‑risk data.

The Bottom Line

Hitting 1,000 breaches in HIBP is a milestone that should have signaled progress, but instead it highlights a systemic failure: companies are increasingly choosing legal caution over consumer protection. The data is out there the moment a hacker posts it; the longer the silence, the more damage users suffer.

For security teams, the path forward is clear: decouple early notification from full forensic analysis, embed it in your incident‑response playbook, and treat rapid, transparent communication as a core security control—not an after‑thought.

If you think your organization is already doing this, run a quick test: check HIBP for your domain today. If you see a breach you haven’t announced, you’ve just discovered a disclosure lag in real time.

#breach#disclosure#privacy#incident response#Data protection

Comments

Loading comments...
Back to Home