Troy Hunt marked the 1,000th breach entered into Have I Been Pwned and used the milestone to highlight a growing disclosure lag. Despite GDPR and CCPA being in force for over a decade, companies still wait weeks to inform victims. Recent incidents at Carnival and Zara show breaches surfacing publicly long before official notices to consumers and regulators alike today.

The Carnival breach involved 8.7 million records, with 85 percent already listed on HIBP. ShinyHunters announced the leak on April 24, yet Carnival waited until May 27—43 days after discovery—to issue a press release. During that window, personal details circulated on dark‑web forums, Telegram channels, and numerous hacking sites, exposing customers without warning or any chance to secure their accounts or mitigate identity theft.

Hunt argues that the lag stems from organizations treating breach notification as a legal shield rather than a customer service duty. Class‑action lawsuits amplify the incentive to delay, as seen in the ZenBusiness and DentaQuest cases where firms cited vague statutory thresholds. Under GDPR and CCPA, regulators can still deem such postponements unlawful, leaving victims in the dark indefinitely today.