1k Data Breaches Later, the Disclosure Lag Is Worse
Points and comments are a snapshot, not live.
Data breach disclosure delays are worsening even after 1,000 breaches indexed, with companies taking 40+ days to notify victims.
Troy Hunt marked 1,000 breaches added to Have I Been Pwned by noting that disclosure lags have grown longer despite privacy regulations like GDPR and CCPA. The Carnival breach saw data publicly leaked April 24 but wasn't disclosed until May 27, a 43-day gap. A subsequent breach took 45 days. Hunt attributes delays partly to companies' legal posturing and class-action litigation concerns, which incentivize defensive strategies over customer notification. Privacy regulations contain loopholes: GDPR and CCPA only require disclosure if breaches risk "high risk" or "serious harm," allowing companies to avoid notifying victims entirely if they claim the leaked data doesn't meet those definitions. Hunt argues organizations prioritize shareholder protection and litigation avoidance over customer safety, despite public commitments otherwise.
What commenters are saying
Commenters questioned whether HIBP remains necessary given alternatives like Snusbase, though one linked to Hunt's prior explanation of why he doesn't expose actual passwords. On disclosure incentives, discussants split: those in B2B tech with founder-majority stakes face real deal-breaker consequences, driving faster response. Most public companies lack material stock-price impact and executive accountability, so no incentive exists. GDPR enforcement remains inconsistent globally. On personal protection, commenters dismissed email plus-addressing as ineffective since spammers strip or infer base addresses from breach data; proper email aliasing services (Duckduckgo, SimpleLogin, Addy.io) are recommended instead.