1,000 Data Breaches Later, the Disclosure Lag is Worse Than Ever

The author reflects on reaching 1,000 breaches in the Have I Been Pwned database and criticizes the growing delays in public breach disclosure, using recent breaches (Carnival, DentaQuest, ZenBusiness, Charter) and the activities of groups like ShinyHunters as examples; the piece argues that legal incentives, class-action concerns, and regulatory carve-outs enable organisations to delay or avoid notifying affected individuals, increasing harm from widespread PII exposure.