Have I Been Pwned Creator Warns of Deepening Crisis in Data Breach Disclosure Lags
Despite GDPR and CCPA frameworks, Hunt argues that organisations are increasingly withholding notification to mitigate class-action risks, creating a significant transparency gap for consumers.
Troy Hunt, the creator of the security platform Have I Been Pwned (HIBP), has highlighted a troubling trend in corporate data breach responses as his platform recorded its 1,000th breach entry. Hunt argues that the time elapsed between a security incident occurring and victims being notified has worsened significantly, despite the existence of privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). He attributes these delays to legal strategies designed to avoid class-action lawsuits and the exploitation of regulatory carve-outs that permit organisations to withhold notification under specific conditions.
The analysis points to recent incidents involving cruise operator Carnival, where data from a ShinyHunters attack was published on 24 April. The breach exposed 8.7 million records, including 7.5 million email addresses and loyalty program details. Although the data was widely disseminated across dark-web and clear-web sites within days, Carnival did not notify victims until 27 May, a delay of 43 days after the company became aware of the incident. Hunt noted that during this period, victims were unaware of their exposure despite the data being publicly available.
Similar delays were observed in a breach affecting Zara, where ShinyHunters published data containing 197,000 unique email addresses, customer support records, product SKUs, and order IDs. Hunt described the disclosure lag in this case as even more pronounced than that of Carnival. He suggested that the proliferation of class-action lawsuits following breaches is a primary driver for these delays, as organisations prioritise protecting shareholder interests and minimising legal liability over timely customer communication.
Hunt also cited ZenBusiness, which had not contacted individual victims despite the data being widely available online. He referenced a victim’s account describing the company’s response as prioritising organisational protection over customer care. Hunt argued that this approach reflects a broader industry trend where legal posturing supersedes social accountability, with companies aiming to skirt disclosure obligations by relying on technical definitions of sensitive personal information.
The creator pointed out that regulations like GDPR and CCPA include specific carve-outs that allow organisations to avoid notification if the compromised data does not meet certain thresholds of sensitivity. Hunt noted that the data types involved in the cited breaches, such as email addresses and loyalty details, often fall outside these strict definitions, allowing companies to legally withhold information. He concluded that despite every breach being a criminal act, the misalignment between corporate goals and consumer expectations ensures that platforms like HIBP remain essential for public awareness.
