Why Breach Disclosure Delays Are Getting Worse in Cybersecurity

Key Takeaways

• Troy Hunt loaded the 1,000th breach into Have I Been Pwned in April 2026, revealing that disclosure delays are worse than ever, often exceeding 45 days.
• High-profile breaches like Carnival (43 days) and Zara (45 days) show that organizations know about incidents for weeks before notifying victims.
• Class-action lawsuits and legal carve-outs in GDPR and CCPA create perverse incentives for organizations to delay or avoid disclosure entirely.
• Regulatory loopholes allow indefinite silence when breaches don’t meet “high risk” thresholds, leaving victims in the dark.
• Automated detection, tighter notification windows, and cultural shifts toward transparency are needed to close the disclosure gap.

After 1,000 breaches loaded into Have I Been Pwned, disclosure lag has only gotten worse.

Introduction: The 1,000th Breach and the Worsening Problem

On April 24, 2026, Troy Hunt loaded the 1,000th data breach into Have I Been Pwned (HIBP). That milestone should have been a moment to celebrate how far breach transparency has come. Instead, it became an occasion for a grim observation: the time between a breach occurring and the public learning about it is longer than ever.

The 1,000th breach was Carnival Corporation, the cruise operator hit by the ShinyHunters extortion group. The attackers published 8.7 million records — including names, email addresses, dates of birth, gender, location data, and loyalty program details — on April 24. Carnival knew about the breach days before that, when ShinyHunters began their extortion campaign. Yet Carnival did not notify victims until May 27, a full 43 days after learning of the incident. Even then, some victims reported that Carnival was still denying a breach had occurred as recently as four days before the official disclosure.

This pattern is not an outlier. Days after the Carnival disclosure, Zara was found to have waited 45 days to notify victims after ShinyHunters published 197,000 unique email addresses, customer support records, product SKUs, and order IDs. In both cases, data was broadly distributed across hacking forums, Telegram channels, and clear-web leak sites within hours of publication. Victims could find their own data through HIBP or third-party researchers long before the affected companies told them anything.

As Hunt put it in his analysis: “The title kinda gives the answer away, and the big number we hit today coincided with another pattern that makes everything worse: increasingly long lag times for disclosure.” The question is why this keeps happening, and what can be done about it.

What Drives the Growing Disclosure Lag?

The causes of worsening disclosure delays are structural, not accidental. Hunt identifies several interconnected factors that create a system where silence is the default response.

The litigation trap. Hunt’s analysis points to a surge in class-action lawsuits filed immediately after breach announcements. A search for the DentaQuest breach, he notes, returns three class-action results among the first four search hits. Organizations now factor litigation risk into their disclosure decisions. The more time that passes between a breach and disclosure, the harder it becomes for plaintiffs to prove damages, and the more time the organization has to shape its narrative. Hunt calls this a “litigation posture” rather than a “customer-protection posture.” Rob Joyce, former NSA cybersecurity director, made the same observation after learning about his own exposure in the ZenBusiness breach via HIBP: the company’s response was designed to shield it from lawsuits, not to inform affected individuals.

The “we need to assess scope” excuse. Hunt notes that organizations routinely cite a need for “thorough and time-consuming analysis of impacted data” before notifying victims. While assessing the full scope of a breach is genuinely complex — determining jurisdictional obligations, identifying all affected data types, and reconstructing attacker activity takes time — Hunt argues that early notification is almost always feasible. “Pulling out email addresses and sending early notification is very easy,” he writes. “I’ve literally done it a thousand times now.” Sending a simple notification that says “your email address was exposed, more details to come” requires hours, not weeks. The decision to delay is strategic, not technical.

Infinite silence is permitted by law. Perhaps the most alarming finding in Hunt’s analysis is that some breaches may never be disclosed to individual victims at all. GDPR, CCPA, and Australia’s Notifiable Data Breaches scheme all contain the same carve-out: organizations must notify individuals only if a breach is “likely to result in high risk” or “likely to cause serious harm.” If an organization determines that exposed data — such as names and email addresses — does not meet that threshold, it can legally remain silent. ZenBusiness, according to Hunt’s account, still has not contacted individual victims despite their data being widely distributed online. Charter Communications similarly argued that no “sensitive personal information” was exposed, a claim Hunt describes as “legal posturing.” This is a pattern that parallels recovering data from a broken filesystem: just because the raw data is still present does not mean anyone is obligated to tell you it was exposed.

Real-World Examples: Carnival, Zara, and the 45-Day Gap

The Carnival case illustrates the full lifecycle of a modern disclosure failure. On April 19, 2026, ShinyHunters announced their extortion campaign against Carnival on their dark-web site. The group gave Carnival a deadline, then published the full 8.7 million-record dataset on April 24 — not just on the dark web but also on a clear-web site accessible to anyone with a browser. Industry commentary and reposts on hacking forums followed within hours. By April 24, HIBP had already loaded the data and was notifying subscribers.

Carnival’s official notification came on May 27, via a press release and a filing with the Maine Attorney General’s office. The company stated that it had learned of the incident 43 days earlier. In the intervening weeks, Carnival customers who asked about the breach were told there was no breach. One victim tweeted at Hunt on May 28: “I’m in the breach per HIBP, but Carnival is telling me there’s no breach!”

Zara’s timeline was similar. ShinyHunters published 197,000 unique email addresses along with customer support records, product SKUs, and order IDs in April. The data was widely distributed. Hunt loaded it into HIBP on May 8. Zara’s official disclosure came 45 days after the data was published.

Both cases share a common structure: data was public, victims were identifiable, organizations knew, and yet notification was withheld for six weeks or more.

How Delayed Disclosure Harms Victims and Markets

The harm caused by delayed disclosure is not abstract. Every day that passes between a breach and notification is a day when attackers can use exposed data for phishing, identity theft, or account takeover. Victims cannot change passwords, enable multi-factor authentication, or freeze credit if they do not know they have been compromised.

Market impact. Research on market reactions to cybersecurity breach disclosures shows that public announcements trigger discernible shifts in market valuation, typically manifesting as immediate negative abnormal returns. Delayed disclosure does not prevent market damage; it postpones it and often amplifies it. When investors learn that a company knew about a breach for weeks before telling anyone, the reputational and legal consequences are worse.

Regulatory risk. The SEC’s cybersecurity disclosure rules, finalized in 2023 and refined through 2026, require publicly traded companies to report material cybersecurity incidents within four business days. But the rules include a carve-out for delays that pose “substantial risk to national security or public safety.” According to DOJ guidelines, such delays are granted sparingly and only when the Attorney General determines that disclosure would cause substantial harm. The guidelines specify a maximum delay of 30 days. Yet Carnival and Zara both exceeded that window without any national security justification.

Trust erosion. The long-term cost of delayed disclosure is trust. Hunt notes that when organizations prioritize shareholder protection over customer notification, they send a clear signal about their values. The social contract between companies and their customers requires transparency, especially when sensitive data is involved. Breaches are inevitable. How organizations respond determines whether trust survives.

Regulatory Carve-Outs and the Legal Loophole Problem

The legal framework around breach notification is broken in a specific way: it allows organizations to avoid disclosure entirely when exposed data falls outside narrow definitions of “sensitive” information.

Under the UK’s GDPR implementation, organizations must inform individuals if a breach “is likely to result in high risk of adversely affecting individuals’ rights and freedoms.” Australia’s Notifiable Data Breaches scheme requires notification only if a breach “is likely to cause you serious harm.” California’s CCPA defines sensitive personal information as a specific subset that includes Social Security numbers, account log-in credentials, financial account numbers, precise geolocation, health information, and biometric data. Names and email addresses are not on that list.

The result is a legal framework that permits silence when exposed data is “only” names, email addresses, and loyalty program details. Hunt is blunt about the consequences: “In other words, none of this applies to any of the ShinyHunters breaches in the examples I’ve been providing above.”

This creates a perverse incentive structure. Organizations can conduct a legal analysis, determine that the exposed data does not qualify as “sensitive” under applicable regulations, and decide not to notify victims. The data may be widely published online. Attackers may already be using it. But as long as the organization’s legal team can argue that no “serious harm” is likely, silence is permitted.

Hunt distinguishes between legal obligations and social obligations. “Clearly, these obligations aren’t legal ones,” he writes, “but I will argue they’re social ones. We expect to be notified when our data is leaked, and we believe organizations should be required to inform us. Therein lies the gap.”

What Can Be Done to Close the Disclosure Gap?

Closing the disclosure gap requires changes across three fronts: regulation, technology, and culture.

Regulatory reform. The carve-outs that allow indefinite silence need to be narrowed or eliminated. If a dataset has been published online and is accessible to the public, the “high risk” threshold has been met by definition. Notification should be mandatory within a fixed window — Hunt suggests 72 hours as a reasonable target — regardless of whether the exposed data technically qualifies as “sensitive.” The SEC’s four-business-day rule for material incidents is a step in the right direction, but it only applies to publicly traded companies and only to incidents deemed “material.”

Automated detection and notification. Organizations should deploy automated systems that can detect breaches and trigger notification workflows within hours, not weeks. Modern security tools can identify anomalous data exfiltration, scan the dark web for leaked credentials, and cross-reference against customer databases. These systems can generate notification lists automatically. The technical barrier to early notification is low; the organizational barrier is high. The same kind of fault-tolerant automation that is used to build reliable database workflows can be applied to breach notification pipelines.

Cultural shift. The most difficult change is cultural. Organizations need to stop treating breach disclosure as a liability to be minimized and start treating it as a trust-building obligation. Hunt’s analysis shows that companies that delay disclosure are not malicious; they are responding rationally to the incentives they face. Class actions punish disclosure. Legal carve-outs reward silence. Changing those incentives requires regulatory action and, ultimately, consumer pressure.

Industry standards. Professional organizations and industry bodies should develop clear standards for breach notification timelines and communication protocols. When every organization is operating under the same expectations, the competitive disadvantage of early disclosure disappears.

Conclusion: Transparency as the Only Path Forward

The 1,000th breach in Have I Been Pwned was a reminder that systems designed to protect breach victims are failing. The data is published, attackers move on, and victims are left to find out from third-party services weeks or months after the fact.

Hunt’s analysis is worth reading in full. His conclusion is stark but honest: “Clearly, their goals are misaligned with ours regarding breach disclosure, and that’s why, 1,000 breaches later, HIBP still exists.”

For security professionals, the takeaway is clear. Build detection systems that can identify breaches in real time. Push for notification policies that prioritize victims over legal risk. And recognize that disclosure lag is not a technical problem — it is a trust problem. Technical solutions exist. The hard part is choosing to use them.

Read Troy Hunt’s full analysis at 1,000 Data Breaches Later, Disclosure Lag is Worse Than Ever.

Sources and References

This article was researched using a combination of primary and supplementary sources:

Supplementary References

These sources provide additional context, definitions, and background information to help clarify concepts mentioned in the primary source.

• The Dangers of Delaying: Real Costs of Late Breach Detection and Reporting – Lockwell
• Market Reactions to Cybersecurity Breach Disclosures
• Troy Hunt: 1,000 Data Breaches Later, the Disclosure Lag is Worse Than Ever
• 1k Data Breaches Later, the Disclosure Lag Is Worse | Hacker News