We see this problem first hand. Every day, we find breached or leaked data (including customer credentials and PII). We make several attempts to notify these companies through any and/or all available channels, but are ignored most of the time.
Most of these organizations do not have responsible breach disclosure practices or a vulnerability disclosure policy (VDP) in place.
However, it is their responsibility to protect their company and customer data and be transparent when things go wrong.
ONE IN FOUR ethical hackers have not reported a vulnerability that they found because the company didn't have a channel to disclose it. That's according to HackerOne's '2018 Hacker Report', which surveyed 1,698 members of the hacking community - making it the largest documented survey ever conducted of the ethical hacking community. One of the standout discoveries was that almost 25 per cent of respondents said they were unable to disclose a security flaw because the bug-ridden company in question lacked a vulnerability disclosure policy (VDP). This doesn't mean the hackers don't try - with HackerOne noting that many attempt to contact firms via social media and email but are "frequently ignored or misunderstood."