John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Two breach disclosures landed this week. Different companies, different industries. Same pattern: the breach happened months ago, and you’re just finding out now.
Kaplan North America notified customers on March 17 that attackers accessed its systems between October 30 and November 18, 2025. Social Security numbers. Driver’s license numbers. At least 173,000 people affected, possibly over 230,000. The breach window closed in mid-November. Notifications went out in mid-March. That’s roughly 4.5 months from “we know” to “we told you.”
Mazda disclosed the same week. Attackers accessed systems in mid-December 2025. Notification came March 19, 2026. About three months. Employee and business partner PII exposed.
Neither company appears to have broken any obvious law. US breach notification requirements are a patchwork of state rules with no uniform federal standard, and “reasonable” timeframe has been stretched to mean a lot of things. Companies spend weeks doing forensics, consulting lawyers, coordinating with insurers, and preparing polished disclosure letters while the clock runs for everyone in the database.
The gap between “we know” and “we told you” isn’t neutral. It’s the window where identity thieves move fastest. Someone with your SSN and driver’s license can do serious damage in four months. The notification, when it finally arrives, is almost always after the fact.
A class action investigation into Kaplan is already underway.
If you’ve ever used Kaplan’s services, don’t wait for a letter. Check your credit reports now. Better yet, freeze your credit at all three bureaus: Equifax, Experian, and TransUnion. It’s free, takes ten minutes, and is the most effective tool available for stopping new accounts from being opened in your name.