Who Decides Who Doesn’t Deserve Privacy?

The Ashley Madison hack remains a cautionary tale for privacy professionals. Beyond the technical fallout, the breach sparked a wave of public shaming—websites, churches, media outlets, and even radio shows exposed users, leading to suicides, divorces and career ruin. This human cost highlighted a gap in early breach‑response frameworks: the need to consider the social ramifications of exposing personal data, not just the breach itself.

In response, Troy Hunt’s Have I Been Pwned introduced a "sensitive breach" flag, aligning with GDPR, CCPA and EU definitions of sensitive personal information. The policy now automatically hides breaches that reveal racial or ethnic origin, political beliefs, sexual orientation, health data, or other protected categories. Real‑world examples—Fur Affinity’s community stigma, WhiteDate’s white‑supremacy associations, and AI‑girlfriend services containing illegal child‑exploitation prompts—demonstrate how nuanced the decision can be. By treating these breaches as sensitive, HIBP prevents mass doxing while still alerting affected users through private notifications.

For businesses, the lesson is clear: breach disclosure strategies must balance transparency with ethical responsibility. Companies should classify data according to legal sensitivity, engage law‑enforcement when illegal content surfaces, and avoid weaponising breach data for moral policing. Failure to do so can trigger severe reputational damage, regulatory penalties, or even service shutdowns. Ultimately, respecting privacy as a human right—anchored in Article 12 of the Universal Declaration of Human Rights—ensures that data‑breach services remain trustworthy tools rather than instruments of public vengeance.