1k Data Breaches Later, the Disclosure Lag Is Worse

Original Article ↗ Hacker News Discussion ↗

Role and Limits of “Have I Been Pwned” (HIBP)

  • Some argue HIBP is less needed now, citing alternative breach search engines that expose more detail.
  • Others counter that exposing raw data or passwords/hashes is dangerous and user‑unfriendly; HIBP’s limited disclosure is intentional.
  • Debate over whether HIBP mostly benefits its operator (branding, speaking, etc.) vs. users, especially given claims in the article that many breaches cause “no real harm.”

What Users Want After a Breach

  • Many want precise info: which fields leaked (name, address, phone, medical, payment, SSN vs. filler data).
  • Some insist the breached company, not a third party, should provide exact per‑user details.
  • Others would even like access to their specific leaked records, but critics say that further distributes sensitive data.

Regulation, Disclosure Lags, and Weak Incentives

  • GDPR/CCPA seen as conceptually strong but poorly enforced; small–mid companies and governments often face little real penalty.
  • 72‑hour rule applies to notifying regulators, not individuals; “without undue delay” is seen as vague and weak.
  • Business incentives differ: founder‑led B2B SaaS may be forced by customers to respond fast; mass‑market B2C often can ignore or minimize incidents.

Accountability and Liability Ideas

  • Strong calls for monetary accountability: fines per leaked user, mandatory data‑loss insurance, mandatory vulnerability disclosure policies, and treating PII as “toxic” with strict retention limits.
  • Others warn that criminalizing mistakes or jailing individual devs/sysadmins would be counterproductive; accountability should focus on leadership and negligence.
  • Some suggest explicit “per‑user breach price” companies must advertise and pay, with multipliers for late or incomplete notification.

Personal Defense Strategies and Email Practices

  • Advice: assume every account will leak; use password managers, unique passwords, 2FA, and email aliasing services rather than simple “+ addressing.”
  • HIBP supports domain‑wide monitoring, though some features and higher volumes require payment; experiences about limits and pricing are mixed.

Impact, Apathy, and Risk Perception

  • Several posters report little or no tangible harm despite many breach notices, fostering skepticism that breaches matter.
  • Others share serious identity‑theft cases, long‑term harassment and fraud, and argue harms are real but unevenly distributed.
  • Broader concern: mass breaches erode the usefulness of identity data, driving increasingly invasive authentication (KYC questions, biometrics).