Data Breach Disclosure Lags Worsen Post-Regulation

Troy Hunt added the 1,000th incident to Have I Been Pwned on 24 April 2026, noting Carnival's 43-day gap between incident awareness and public notification after ShinyHunters published 8.7 million records. https://www.troyhunt.com/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever/ Hunt documented similar 45-day delays at Zara involving 197,000 emails. https://www.troyhunt.com/1000-data-breaches-later-the-disclosure-lag-is-worse-than-ever/ Both cases showed data already indexed in HIBP before victim notification. Equifax disclosed its 2017 breach 40 days after detection, affecting 147 million individuals, per the company's SEC filing. https://www.sec.gov/Archives/edgar/data/33103/000003310317000014/equifax8k.htm GDPR Article 33 requires notification within 72 hours of awareness, yet the European Data Protection Board recorded average delays exceeding 30 days in 2024 enforcement reports. https://edpb.europa.eu/our-work-tools/consistency-findings_en ShinyHunters-linked incidents from 2024-2026 repeatedly featured public leaks on clear-web sites days before company statements, matching patterns in prior HIBP entries for 85 percent of Carnival records. https://haveibeenpwned.com/