Troy Hunt loaded his 1,000th data breach into Have I Been Pwned this month. The milestone arrived not with celebration but frustration. Disclosure delays have grown longer. Companies take weeks or months to tell affected individuals even after data appears for sale or leaks publicly. And the pattern shows no sign of reversing.
Hunt, the Australian security researcher who launched the site in 2013, expected regulations like GDPR and CCPA to reduce the need for his service. They did not. Organizations still drag their feet. They cite the need for thorough investigation. They point to legal allowances for determining scope. Victims, meanwhile, remain exposed without knowing it. Short. Simple. Costly.
Consider Carnival Corporation. News of a potential breach broke in mid-April. ShinyHunters claimed responsibility and published data shortly after. The company finally sent notices to individuals on May 27. Forty-three days had passed. Troy Hunt documented the timeline and the company’s explanation: a “thorough and time-consuming analysis of the impacted data.” That phrase appears often. It rarely satisfies those whose information circulates on hacking forums in the interim.
ZenBusiness followed a similar script. Forty-five days from discovery to notification. The data had already spread widely enough to reach Hunt’s database. One affected customer, Roby Joyce, captured the sentiment perfectly. “That is not a customer-protection posture. That is a litigation posture.” Companies frame their responses around eventual legal compliance rather than immediate harm reduction. But Hunt sees deeper incentives at work. Class-action lawsuits often launch within hours of public breach reports. Executives answer first to shareholders. Customers come later.
This misalignment persists despite years of privacy rules. GDPR requires notification “without undue delay” when risks run high. carve-outs exist for law enforcement or system restoration. CCPA and similar state laws once used flexible language such as “without unreasonable delay.” Those phrases gave cover. Now some states have drawn harder lines.
California moved decisively. Governor Gavin Newsom signed SB 446 in October 2025. Starting January 1, 2026, businesses must notify affected residents within 30 calendar days of discovering a breach. They must also send a copy of the notice to the Attorney General within 15 days for incidents affecting more than 500 people. The old standard of “most expedient time possible and without unreasonable delay” disappears. State Senator Melissa Hurtado, who authored the bill, argued the previous approach left people uninformed for months or even a year. “Californians deserve the right to act swiftly when their personal information is compromised,” she said according to legislative analysis. The Data Protection Report covered the change.
New York adopted a parallel 30-day cap late in 2024. Twenty states now set numeric deadlines between 30 and 60 days. The rest still rely on qualitative standards. A 2026 survey by the Privacy Rights Clearinghouse found that 39% of states specify exact windows. Progress exists. Enforcement questions remain. Federal rules for financial institutions under the FTC Safeguards Rule require notice within 30 days for breaches hitting 500 or more customers. Yet large incidents still stretch far beyond those marks.
The Conduent breach offers a stark recent example. The government technology contractor suffered a ransomware attack in January 2025. Notifications trickled out starting in October 2025. By early 2026 the tally had climbed past 25 million affected people across multiple states. Texas alone reported 15.4 million. Oregon added 10.5 million. Conduent’s “Incident Notice” page carried a hidden noindex tag that kept it out of search results. The company described its process as a “detailed analysis of the affected files.” Spokesperson Sean Collins declined to specify total notifications sent or explain the search suppression when asked by reporters. TechCrunch tracked the expanding impact.
Such tactics compound the problem. People cannot protect themselves if they never learn of the breach. Credit monitoring offers arrive late. Password changes happen after compromise. Identity theft risks climb during the gap. Hunt’s database fills the void. Users check their email addresses or phone numbers and receive immediate alerts about exposures that companies have not yet acknowledged.
But reliance on a single independent site raises larger questions. Why do organizations resist early, partial disclosures? Many breaches involve email lists or non-sensitive credentials first. Telling people quickly allows them to watch for fraud even before full scope emerges. Legal departments worry that early admission could invite lawsuits or signal weakness. Boards focus on stock price and regulatory fines. The social obligation to customers receives less weight.
Hunt has sat in meetings with breached companies. He hears the same justifications repeatedly. Some skirt obligations. Others stretch them. “I’ve been in many meetings with breached companies over the years where they’re obviously aiming to skirt around disclosure obligations,” he wrote. The evidence appears everywhere. Search results for recent breaches often return law firm solicitations before official notices. That pattern fuels his theory that litigation posture now drives timing more than customer protection.
Data from 2025 and early 2026 reinforces the trend. IBM’s cost of a data breach report showed mean time to identify and contain incidents at 241 days. Detection alone took 181 days on average. Mandiant’s M-Trends found shorter dwell times in targeted attacks but still measured in weeks. Longer periods before public acknowledgment leave victims blind. DeepStrike summarized the latest breach lifecycle figures.
Regulators have begun to push back. The European Data Protection Board and state attorneys general pursue enforcement actions. Yet fines sometimes register as the cost of doing business for large firms. Class actions proliferate. Settlements provide payouts but rarely change internal behavior around notification speed. Oklahoma expanded its breach definition in 2026 to include biometric data and unique electronic identifiers. It also requires Attorney General notification for larger incidents. These tweaks address scope but do little to shrink the disclosure window directly.
Hunt never intended Have I Been Pwned to become permanent infrastructure. Twelve and a half years later it processes its thousandth breach. The site now holds billions of records. New incidents arrive weekly. Some companies notify promptly. Many do not. Charter Communications disclosed a recent event with minimal sensitive data loss and no immediate individual notices. Other names from the past month include 7-Eleven, Ameriprise, Mytheresa and Kemper. Each adds to the ledger.
The gap between technical reality and legal expectation continues to widen. Hackers move fast. Data appears on clear-web leak sites within days. Companies respond with forensic reviews that last months. Victims sit in the middle, checking their mail for letters that may never arrive or arrive too late. Some never receive notice at all if their data falls outside strict legal triggers.
California’s new 30-day rule may set a precedent. Other states could follow. Federal legislation remains elusive. In the meantime independent services like Hunt’s fill the accountability void. They cannot replace corporate responsibility. They expose its absence. Organizations claim they prioritize security and privacy. Their notification records suggest otherwise. Shareholders first. Customers second. The lag proves it.
So the thousandth breach lands. Hunt loads it. Users search their data. And the cycle repeats. Until incentives align or regulators close the loopholes, Have I Been Pwned will mark its 2,000th entry. The question is not if. It is how much longer victims must wait.
WebProNews is an iEntry Publication