[needcaffeine]

Because if they didn't, they'd get criticism about not doing so right away. Also...GDPR?

[majewsky]

This is not related to GDPR afaics, but at least in Germany, there is an IT security law that governs how companies must disclose security breaches. (Don't get your hopes up, that law is entirely toothless in practice.)