{"id":3419,"date":"2026-06-01T09:06:05","date_gmt":"2026-06-01T09:06:05","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/"},"modified":"2026-06-01T09:06:05","modified_gmt":"2026-06-01T09:06:05","slug":"1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/","title":{"rendered":"1,000 Data Breaches Later, the Disclosure Lag is Worse Than Ever"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/storage.ghost.io\/c\/fb\/33\/fb3391dc-723d-4e74-b95a-d641b5feb38e\/content\/images\/2026\/06\/photo_2026-05-31_20-34-34.jpg\" alt=\"1,000 Data Breaches Later, the Disclosure Lag is Worse Than Ever\"><\/p>\n<p>Today, I loaded the 1,000th data breach into <a href=\"https:\/\/haveibeenpwned.com\/?ref=troyhunt.com\" rel=\"noreferrer\">Have I Been Pwned<\/a>. Reflecting on that milestone number, I pondered how to mark the occasion in writing, and what immediately came to mind was a very simple question: why is it still needed? Especially considering the emergence of privacy regulations such as GDPR and CCPA in the 12 and a half years since I started HIBP, what possible purpose does it still serve? The title kinda gives the answer away, and the big number we hit today coincided with another pattern that makes everything worse: increasingly long lag times for disclosure.<\/p>\n<p>This is all going to be anecdotal, and as far as I know, there are no hard numbers for me to cite, but the evidence is everywhere. Here&#8217;s what I mean:<\/p>\n<p><!--kg-card-begin: html--><\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">New breach: Cruise operator Carnival was targeted in a ShinyHunters \u201cpay or leak\u201d attack last week. 8.7M records with 7.5M email addresses and loyalty program data were published yesterday. 85% were already in <a href=\"https:\/\/x.com\/haveibeenpwned?ref_src=twsrc%5Etfw&amp;ref=troyhunt.com\">@haveibeenpwned<\/a>. Read more: <a href=\"https:\/\/t.co\/QhqNt0WucV?ref=troyhunt.com\">https:\/\/t.co\/QhqNt0WucV<\/a><\/p>\n<p>\u2014 Have I Been Pwned (@haveibeenpwned) <a href=\"https:\/\/x.com\/haveibeenpwned\/status\/2047497445383528908?ref_src=twsrc%5Etfw&amp;ref=troyhunt.com\">April 24, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.x.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<!--kg-card-end: html--><\/p>\n<p>That was the 24th of April, five days after <a href=\"https:\/\/cyberinsider.com\/carnival-corporation-probes-data-breach-after-claims-of-8-7m-records-theft\/?ref=troyhunt.com\" rel=\"noreferrer\">news of the incident had broken<\/a>. Given ShinyHunters&#8217; MO, Carnival would have known about the breach many days before they ratcheted up extortion pressure by announcing the impending leak on their website. The subsequent leak on the 24th was very public: an announcement was posted to the group&#8217;s dark-web site, the data itself was published to their <em>clear-web<\/em> site, and industry commentary followed:<\/p>\n<p><!--kg-card-begin: html--><\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">\ud83d\udea8 Massive Data Breach<\/p>\n<p>Carnival Corporation (<a href=\"https:\/\/t.co\/pGlchZ1yFy?ref=troyhunt.com\">https:\/\/t.co\/pGlchZ1yFy<\/a>) reportedly impacted \u2014 8.7M+ customer records exposed<\/p>\n<p>\ud83d\udcca Alleged data includes:<br \/>\u2022 Full names &amp; email addresses<br \/>\u2022 Dates of birth &amp; gender<br \/>\u2022 Location data &amp; loyalty program details<\/p>\n<p>\ud83c\udfaf Linked to ShinyHunters\u2026 <a href=\"https:\/\/t.co\/Fd8tNFPqpd?ref=troyhunt.com\">pic.twitter.com\/Fd8tNFPqpd<\/a><\/p>\n<p>\u2014 Intel and Breaches (@IBreaches) <a href=\"https:\/\/x.com\/IBreaches\/status\/2047764076785463722?ref_src=twsrc%5Etfw&amp;ref=troyhunt.com\">April 24, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.x.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<!--kg-card-end: html--><\/p>\n<p>Per that last post, the data was then reposted to all sorts of other places: hacking forums, Telegram channels, and who knows how many other, more private locations. The point is that it spread quickly, extensively, and, without any shadow of a doubt, Carnival were aware of this. <a href=\"https:\/\/www.maine.gov\/agviewer\/content\/ag\/985235c7-cb95-4be2-8792-a1252b4f8318\/d6729ef2-7bb3-42d3-abdd-99a1dd8f2415.html?ref=troyhunt.com\" rel=\"noreferrer\">They then told people about it on the 27th&#8230; of May<\/a>. According to <a href=\"https:\/\/api.kscope.io\/ks-doc-view?key=fde6d8e0-6260-46ee-9286-9578b2baf99c&amp;content=benznews&amp;docid=146ca2a0b6b2c9132af22b2efdfcee546d60ba59&amp;allow_back=true&amp;ref=troyhunt.com\" rel=\"noreferrer\">their press release that same day<\/a>, this was 43 days after learning about the incident. For more than 6 weeks, data breach victims whose names, dates of birth, email addresses, loyalty program details and, of course, their association with Carnival leaked to the public en masse had absolutely no idea of their exposure. And if they asked Carnival about it? Well:<\/p>\n<p><!--kg-card-begin: html--><\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p lang=\"en\" dir=\"ltr\">As recently as four days ago, we heard \u201cI\u2019m in the breach per HIBP, but Carnival is telling me there\u2019s no breach!\u201d <a href=\"https:\/\/t.co\/YYmGm3NzEY?ref=troyhunt.com\">pic.twitter.com\/YYmGm3NzEY<\/a><\/p>\n<p>\u2014 Troy Hunt (@troyhunt) <a href=\"https:\/\/x.com\/troyhunt\/status\/2060082594818224480?ref_src=twsrc%5Etfw&amp;ref=troyhunt.com\">May 28, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.x.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<!--kg-card-end: html--><\/p>\n<p>So, why the delay? <a href=\"https:\/\/www.theregister.com\/cyber-crime\/2026\/05\/28\/carnival-shinyhunters-cruised-off-with-6m-customer-records\/5247808?ref=troyhunt.com\" rel=\"noreferrer\">Last week&#8217;s press coverage<\/a> may give some insight:<\/p>\n<blockquote><p>thorough and time-consuming analysis of the impacted data<\/p><\/blockquote>\n<p>Often, the reason I hear for disclosure lag is &#8220;we needed to fully assess the scope of exposed data before notifying people&#8221;. The issue I have with this position is that it implies that even an early heads-up can&#8217;t happen until there&#8217;s a very comprehensive understanding of the impact. There are many things that take time to establish after a data breach: the jurisdiction each individual sits in, the precise data that was exposed about them and additional information that may be buried in terabytes of exfiltrated data in all sorts of different formats. But pulling out email addresses and sending early notification is <em>very <\/em>easy &#8211; I&#8217;ve literally done it a thousand times now.<\/p>\n<p>This isn&#8217;t just a Carnival issue; in fact, it was off the back of this next one only a few days later that I was prompted to write this post:<\/p>\n<figure class=\"kg-card kg-image-card\"><img decoding=\"async\" src=\"https:\/\/storage.ghost.io\/c\/fb\/33\/fb3391dc-723d-4e74-b95a-d641b5feb38e\/content\/images\/2026\/05\/image-1.png\" class=\"kg-image\" alt=\"1,000 Data Breaches Later, the Disclosure Lag is Worse Than Ever\" loading=\"lazy\" width=\"1220\" height=\"1085\" srcset=\"https:\/\/storage.ghost.io\/c\/fb\/33\/fb3391dc-723d-4e74-b95a-d641b5feb38e\/content\/images\/size\/w600\/2026\/05\/image-1.png 600w, https:\/\/storage.ghost.io\/c\/fb\/33\/fb3391dc-723d-4e74-b95a-d641b5feb38e\/content\/images\/size\/w1000\/2026\/05\/image-1.png 1000w, https:\/\/storage.ghost.io\/c\/fb\/33\/fb3391dc-723d-4e74-b95a-d641b5feb38e\/content\/images\/2026\/05\/image-1.png 1220w\" sizes=\"auto, (min-width: 720px) 720px\"><\/figure>\n<p>FFS. 45 days. Even worse than Carnival. And like Carnival, <em>very <\/em>broadly distributed and easily accessible by the masses, including HIBP:<\/p>\n<p><!--kg-card-begin: html--><\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">New breach: Zara was named as a ShinyHunters victim last month, after which data containing 197k unique email addresses was published. Impacted data included customer support records, product SKUs and order IDs. 60% were already in <a href=\"https:\/\/x.com\/haveibeenpwned?ref_src=twsrc%5Etfw&amp;ref=troyhunt.com\">@haveibeenpwned<\/a>. More: <a href=\"https:\/\/t.co\/0hIQbqoBCk?ref=troyhunt.com\">https:\/\/t.co\/0hIQbqoBCk<\/a><\/p>\n<p>\u2014 Have I Been Pwned (@haveibeenpwned) <a href=\"https:\/\/x.com\/haveibeenpwned\/status\/2052650516304609420?ref_src=twsrc%5Etfw&amp;ref=troyhunt.com\">May 8, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.x.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<!--kg-card-end: html--><\/p>\n<p>I have a working theory that the disclosure lag is worsening in part due to the proliferation of class actions <em>immediately<\/em> following a breach. In my live stream last weekend, I did a quick search for the DentaQuest breach:<\/p>\n<figure class=\"kg-card kg-image-card\"><img decoding=\"async\" src=\"https:\/\/storage.ghost.io\/c\/fb\/33\/fb3391dc-723d-4e74-b95a-d641b5feb38e\/content\/images\/2026\/05\/image-2.png\" class=\"kg-image\" alt=\"1,000 Data Breaches Later, the Disclosure Lag is Worse Than Ever\" loading=\"lazy\" width=\"833\" height=\"724\" srcset=\"https:\/\/storage.ghost.io\/c\/fb\/33\/fb3391dc-723d-4e74-b95a-d641b5feb38e\/content\/images\/size\/w600\/2026\/05\/image-2.png 600w, https:\/\/storage.ghost.io\/c\/fb\/33\/fb3391dc-723d-4e74-b95a-d641b5feb38e\/content\/images\/2026\/05\/image-2.png 833w\" sizes=\"auto, (min-width: 720px) 720px\"><\/figure>\n<p>Three of the first four results are all for class actions related to the breach, and there are two more class action results a little further down the page. <a href=\"https:\/\/www.troyhunt.com\/data-breaches-class-actions-and-ambulance-chasing\/\" rel=\"noreferrer\">I&#8217;ve been raising concerns about the adverse impact of class actions for many years now<\/a>, and it&#8217;s worse than I&#8217;ve ever seen. By a big margin, too.<\/p>\n<p>It&#8217;s not just me observing how the behaviour of these orgs appears to be influenced by how lawyers will respond, either. Have a read of this post from <a href=\"https:\/\/en.wikipedia.org\/wiki\/Rob_Joyce?ref=troyhunt.com\" rel=\"noreferrer\">Roby Joyce<\/a> (check out his bio if you don&#8217;t already know why he&#8217;s worth paying attention to) after he learned about his exposure in the ZenBusiness breach via HIBP:<\/p>\n<p><!--kg-card-begin: html--><br \/>\n<iframe loading=\"lazy\" src=\"https:\/\/www.linkedin.com\/embed\/feed\/update\/urn:li:share:7457134383007813632\" height=\"1258\" width=\"504\" frameborder=\"0\" allowfullscreen title=\"Embedded post\"><\/iframe><br \/>\n<!--kg-card-end: html--><\/p>\n<p>What especially caught my eye was this sentence:<\/p>\n<blockquote><p>That is not a customer-protection posture. That is a litigation posture.<\/p><\/blockquote>\n<p>This isn&#8217;t about prioritising the customer, it&#8217;s about protecting the organisation. I don&#8217;t think most people understand that organisational accountability really lies with their shareholders, first and foremost. All the pleasantries around &#8220;customers are our number one priority&#8221; and &#8220;we take security seriously&#8221; are all secondary to shareholder happiness, and minimising the chances of getting their arses sued into oblivion is a big part of that.<\/p>\n<p>Rob&#8217;s quoted comment above came immediately after the response he received from ZenBusiness after asking them about the incident:<\/p>\n<blockquote><p>If we determine that an incident resulted in the exposure of your protected PII, we will provide notice as legally required<\/p><\/blockquote>\n<p>Which brings me to the next problem as it relates to disclosure lag: it may be infinite. By which I mean you may <em>never<\/em> be told. Ever. GDPR allows it. CCPA allows it. Whatever your local privacy regulation acronym is also allows it. A couple of years ago, I wrote about <a href=\"https:\/\/www.troyhunt.com\/the-data-breach-disclosure-conundrum\/\" rel=\"noreferrer\">the data breach disclosure conundrum<\/a>, where I explained how privacy regs have very specific carve-outs around the circumstances under which data breach victims must be notified. For example:<\/p>\n<blockquote><p><em>If the breach is likely to result in a <strong>high risk of adversely affecting individuals\u2019 rights and freedoms<\/strong>, you must also inform those individuals without undue delay.<\/em><\/p><\/blockquote>\n<p>That&#8217;s in the UK, here&#8217;s our carve-out in Australia:<\/p>\n<blockquote><p>Under the\u00a0Notifiable Data Breaches scheme, an organisation or agency that must comply with Australian privacy law has to tell you if a\u00a0data breach\u00a0is <strong>likely to cause you serious harm<\/strong><\/p><\/blockquote>\n<p>You see the loophole, right? As far as I know, ZenBusiness still hasn&#8217;t contacted any individual victims. And like Carnival and Zara, their data is all over the place. Same with Charter, which was in the press last week, where <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/charter-confirms-data-breach-after-shinyhunters-extortion-threat\/?ref=troyhunt.com\" rel=\"noreferrer\">they were quoted as saying the following<\/a>:<\/p>\n<blockquote><p>No sensitive personal information (PI) or customer proprietary network information (CPNI) data was\u00a0exfiltrated by the threat actor as a result of recent activity<\/p><\/blockquote>\n<p>I&#8217;m not aware of any disclosure they&#8217;ve made to individuals, but to use Rob&#8217;s term, that sentence reads like legal posturing to me. It&#8217;s technically correct, of course: there are very clear definitions for sensitive PII, for example, under <a href=\"https:\/\/www.oag.ca.gov\/privacy\/ccpa?ref=troyhunt.com\" rel=\"noreferrer\">California&#8217;s CCPA<\/a>:<\/p>\n<blockquote><p>a specific subset of personal information that includes certain government identifiers (such as social security numbers); an account log-in, financial account, debit card, or credit card number with any required security code, password, or credentials allowing access to an account; precise geolocation; contents of mail, email, and text messages; genetic data; biometric information processed to identify a consumer; information concerning a consumer\u2019s health, sex life, or sexual orientation; or information about racial or ethnic origin, religious or philosophical beliefs, or union membership.<\/p><\/blockquote>\n<p>GDPR has a similar definition for &#8220;<a href=\"https:\/\/gdpr-info.eu\/art-9-gdpr\/?utm_source=chatgpt.com\" rel=\"noreferrer\">special categories of personal data<\/a>&#8220;:<\/p>\n<blockquote><p>personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person\u2019s sex life or sexual orientation<\/p><\/blockquote>\n<p>In other words, none of this applies to any of the ShinyHunters breaches in the examples I&#8217;ve been providing above.<\/p>\n<p>I&#8217;ve been in many meetings with breached companies over the years where they&#8217;re obviously aiming to skirt around disclosure obligations. Clearly, these obligations aren&#8217;t <em>legal <\/em>ones, but I will argue they&#8217;re <em>social <\/em>ones. We expect to be notified when our data is leaked, and we believe organisations should be required to inform us. Therein lies the gap.<\/p>\n<p>I&#8217;ll finish by recognising that every organisation I&#8217;ve referred to here, and indeed every one I&#8217;ve loaded into HIBP, has been the victim of a criminal act. I&#8217;m especially sympathetic to those who&#8217;ve been the target of an aggressive extortion campaign, and I know it&#8217;s been an absolute nightmare for the folks in those companies who&#8217;ve been left to clean up the mess. However&#8230; here we are. Clearly, their goals are misaligned with ours regarding breach disclosure, and that&#8217;s why, 1,000 breaches later, HIBP still exists.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Today, I loaded the 1,000th data breach into Have I Been Pwned. Reflecting on that milestone number, I pondered how to mark the occasion in writing, and what immediately came to mind was a very simple question: why is it still needed? Especially considering the emergence of privacy regulations such as GDPR and CCPA in [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90],"tags":[91],"class_list":["post-3419","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>1,000 Data Breaches Later, the Disclosure Lag is Worse Than Ever - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"1,000 Data Breaches Later, the Disclosure Lag is Worse Than Ever - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"Today, I loaded the 1,000th data breach into Have I Been Pwned. Reflecting on that milestone number, I pondered how to mark the occasion in writing, and what immediately came to mind was a very simple question: why is it still needed? Especially considering the emergence of privacy regulations such as GDPR and CCPA in [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-01T09:06:05+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/storage.ghost.io\/c\/fb\/33\/fb3391dc-723d-4e74-b95a-d641b5feb38e\/content\/images\/2026\/06\/photo_2026-05-31_20-34-34.jpg\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"1,000 Data Breaches Later, the Disclosure Lag is Worse Than Ever\",\"datePublished\":\"2026-06-01T09:06:05+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/\"},\"wordCount\":1570,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/storage.ghost.io\/c\/fb\/33\/fb3391dc-723d-4e74-b95a-d641b5feb38e\/content\/images\/2026\/06\/photo_2026-05-31_20-34-34.jpg\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/\",\"name\":\"1,000 Data Breaches Later, the Disclosure Lag is Worse Than Ever - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/storage.ghost.io\/c\/fb\/33\/fb3391dc-723d-4e74-b95a-d641b5feb38e\/content\/images\/2026\/06\/photo_2026-05-31_20-34-34.jpg\",\"datePublished\":\"2026-06-01T09:06:05+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/#primaryimage\",\"url\":\"https:\/\/storage.ghost.io\/c\/fb\/33\/fb3391dc-723d-4e74-b95a-d641b5feb38e\/content\/images\/2026\/06\/photo_2026-05-31_20-34-34.jpg\",\"contentUrl\":\"https:\/\/storage.ghost.io\/c\/fb\/33\/fb3391dc-723d-4e74-b95a-d641b5feb38e\/content\/images\/2026\/06\/photo_2026-05-31_20-34-34.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"1,000 Data Breaches Later, the Disclosure Lag is Worse Than Ever\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"1,000 Data Breaches Later, the Disclosure Lag is Worse Than Ever - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/","og_locale":"en_US","og_type":"article","og_title":"1,000 Data Breaches Later, the Disclosure Lag is Worse Than Ever - Imperative Business Ventures Limited","og_description":"Today, I loaded the 1,000th data breach into Have I Been Pwned. Reflecting on that milestone number, I pondered how to mark the occasion in writing, and what immediately came to mind was a very simple question: why is it still needed? Especially considering the emergence of privacy regulations such as GDPR and CCPA in [&hellip;]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-06-01T09:06:05+00:00","og_image":[{"url":"https:\/\/storage.ghost.io\/c\/fb\/33\/fb3391dc-723d-4e74-b95a-d641b5feb38e\/content\/images\/2026\/06\/photo_2026-05-31_20-34-34.jpg","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"1,000 Data Breaches Later, the Disclosure Lag is Worse Than Ever","datePublished":"2026-06-01T09:06:05+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/"},"wordCount":1570,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/#primaryimage"},"thumbnailUrl":"https:\/\/storage.ghost.io\/c\/fb\/33\/fb3391dc-723d-4e74-b95a-d641b5feb38e\/content\/images\/2026\/06\/photo_2026-05-31_20-34-34.jpg","keywords":["Cybersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/","name":"1,000 Data Breaches Later, the Disclosure Lag is Worse Than Ever - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/#primaryimage"},"thumbnailUrl":"https:\/\/storage.ghost.io\/c\/fb\/33\/fb3391dc-723d-4e74-b95a-d641b5feb38e\/content\/images\/2026\/06\/photo_2026-05-31_20-34-34.jpg","datePublished":"2026-06-01T09:06:05+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/#primaryimage","url":"https:\/\/storage.ghost.io\/c\/fb\/33\/fb3391dc-723d-4e74-b95a-d641b5feb38e\/content\/images\/2026\/06\/photo_2026-05-31_20-34-34.jpg","contentUrl":"https:\/\/storage.ghost.io\/c\/fb\/33\/fb3391dc-723d-4e74-b95a-d641b5feb38e\/content\/images\/2026\/06\/photo_2026-05-31_20-34-34.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/01\/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"1,000 Data Breaches Later, the Disclosure Lag is Worse Than Ever"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/3419","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=3419"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/3419\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=3419"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=3419"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=3419"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}