Disclosure Lag for Data Breaches Gets Worse After 1,000 Incidents
Original: 1k Data Breaches Later, the Disclosure Lag Is Worse
Why This Matters
Extended disclosure delays leave breach victims unaware of exposure for weeks while data circulates publicly
Troy Hunt loaded the 1,000th data breach into Have I Been Pwned, highlighting worsening disclosure delays. Carnival breach took 43 days to notify victims despite public leak, while another incident took 45 days.
Security researcher Troy Hunt marked loading the 1,000th data breach into Have I Been Pwned by examining worsening disclosure lag patterns. The Carnival Corporation breach exemplified the problem: ShinyHunters targeted the cruise operator, leaking 8.7M records including email addresses and loyalty data publicly on April 24th. Carnival didn't notify affected customers until May 27th - 43 days after learning of the incident. Hunt noted that 85% of records were already in his database when Carnival finally disclosed. The delay occurred despite widespread public availability of the data across hacking forums and Telegram channels. Hunt criticized the common justification that 'thorough analysis' requires such delays, arguing that basic email notification can happen much earlier while detailed assessment continues. Another unnamed breach mentioned took 45 days to disclose, suggesting this pattern is becoming standard practice across the industry.