Troy Hunt, founder of Have I Been Pwned (HIBP), today loaded the 1,000th data breach into the service. Reflecting on that milestone, Hunt posed a simple question: why is the service still needed, especially after privacy regulations like GDPR and CCPA emerged over the 12.5 years since HIBP began? The answer, as Hunt wrote, is increasingly long lag times for breach disclosure.
A Growing Pattern of Delay
According to Hunt, the evidence of worsening disclosure lag is everywhere, though he acknowledges it is anecdotal. Two recent breaches involving the ShinyHunters group illustrate the trend. Both cases involved a 'pay or leak' attack, followed by wide distribution of stolen data, yet victims were notified weeks later.
Carnival's 43-Day Wait
On April 24, 2026, ShinyHunters published 8.7 million records stolen from cruise operator Carnival Corporation. The data included 7.5 million email addresses, plus loyalty program details, dates of birth, and location data. Carnival knew of the incident many days earlier — ShinyHunters had posted a threat on their dark-web site before leaking. Despite the public leak, Carnival did not notify victims until May 27, a full 43 days after learning of the breach. As Hunt noted, during that period some affected individuals who checked HIBP were told by Carnival that no breach existed.
Zara's 45-Day Silence
Just days later, another ShinyHunters victim emerged: fashion retailer Zara. Hunt reported that Zara took 45 days to disclose the breach — even longer than Carnival. The stolen data was broadly distributed across hacking forums, Telegram channels, and other platforms, making it widely accessible. According to Hunt, the delay at Zara was 'FFS. 45 days. Even worse than Carnival.'
Why the Disclosure Lag?
Hunt challenges the common rationale for delays: 'thorough and time-consuming analysis of the impacted data.' He argues that while understanding precise jurisdictional details and data scope takes time, extracting email addresses for early notification is straightforward. 'I've literally done it a thousand times now,' he wrote. The implication is that organizations prioritize comprehensive analysis over timely victim warnings.
| Company | Records Exposed | Email Addresses | Disclosure Delay |
|---|---|---|---|
| Carnival Corporation | 8.7 million | 7.5 million | 43 days |
| Zara | Not specified | Not specified | 45 days |
Regulatory Context
Hunt's milestone — 1,000 breaches loaded into HIBP — comes after the introduction of GDPR in 2018 and CCPA in 2020, both of which mandate breach notification. Yet the disclosure lag appears to be worsening. Hunt's post is a stark reminder that regulations alone have not solved the problem. For enterprise technology leaders, these cases underscore the need for incident response plans that prioritize early, limited notification to affected individuals, even before full forensic analysis is complete.
Sources:
