Afternoon Cyber Tea with Ann Johnson

Episode: Inside Data Breaches and Human Behavior with Troy Hunt
Date: December 9, 2025
Guest: Troy Hunt (Founder, Have I Been Pwned)
Host: Ann Johnson (Corporate Vice President and Deputy Chief Information Security Officer, Microsoft)

Episode Overview

In this episode, Ann Johnson sits down with Troy Hunt to dissect the realities behind data breaches, human behavior, and how the intersection of technology, psychology, and organizational priorities shapes cybersecurity outcomes. Drawing on Troy's deep experience managing "Have I Been Pwned" (HIBP), with its vast troves of breach records, the conversation moves from the scale and recurring nature of breaches, to the frustrating gaps in disclosure and transparency, the inevitability of human error, and what a more resilient digital future might look like.

Key Discussion Points & Insights

The Scale and Nature of Data Breaches

Billions of Records, Repeated Exposure
- HIBP tracks over 17 billion breached records, involving nearly 7 billion unique email addresses, meaning most individuals show up in multiple breaches.
- “When someone gets breached, they usually get breached more than once...the sum of the parts of these different breach ends up exposing very rich data sets about individual victims." (Troy Hunt, 01:42)
Overlapping Victimization
- Extended time online raises risk; m ost people (including Troy himself) have appeared in dozens of breaches due to long-term internet activity.

The Human Side: Weakness and Disclosure

Most Frustrating Weakness: Organizational Reluctance to Disclose
- Troy flagged not individual mistakes, but organizational reluctance to notify impacted users.
- “Maybe one of the human weaknesses we have here is actually not on behalf of the individual victims, but on behalf of the corporate victims.” (Troy Hunt, 03:06)
- Organizations often prioritize shareholder value over transparency to customers.
Corporate Psychology and Risk Aversion
- Companies' “number one priority … is to shareholders… organizations end up in a bit of a nasty position where they’re trying to publicly demonstrate how important security is...but inevitably it then leads to this, protecting the organisation, being careful what they say, not admitting to fault.” (Troy Hunt, 04:07)
- Disclosure systems are often inadequate and slow.

Human Behavior: Fatigue, Selfishness & Mistakes

Breach Fatigue
- Regular notifications desensitize individuals.
- “It’s a big yawn at this point in time because I’m like, okay, my data’s out there. I’m just gonna make sure I have more alerts and more strong authentication on my accounts.” (Ann Johnson, 07:00)
- Troy calls this “data breach fatigue,” leading people to develop resilience (password managers, alerts) rather than panic at every new breach.
Self-Interest Driving Negative Outcomes
- Class-action lawsuits by individuals can encourage organizations to withhold disclosures:
- "In this pursuit of selfishness, this gratification and making like literally a buck is it's driving organizations to be very standoffish and very defensive and not be transparent and not be expeditious and in some cases not disclose to individuals at all. And that's just a terrible outcome." (Troy Hunt, 06:00)
Even Experts Make Mistakes
- Troy candidly recounts falling for a phishing scam despite his expertise, due to jet lag and emotional vulnerability—demonstrating no one is immune to manipulation.
- "[E]ven experts make mistakes ... It helps other people feel not so bad." (Ann Johnson, 12:59)
- “I got phished earlier this year like proper successfully phished... People have moments of weakness, you know, they're tired, they're rushed, they're concerned about losing something. And now here we are.” (Troy Hunt, 10:46)
- Troy’s transparency turned the incident into an educational moment.

Organizational and Regulatory Challenges

Preparedness and Responsive Design
- Breaches are inevitable; organizations should focus on resiliency and containment, similar to business continuity planning.
- "If we had data breach response… as part of organizational preparedness… that would make a really big difference." (Troy Hunt, 08:26)
Transparency's Power and Limits
- Troy believes open processes (e.g., open-source code in HIBP) build trust and dispel myths.
  - “The great thing about transparency is that it's almost like a self evident proof.” (Troy Hunt, 21:00)
- However, he’s skeptical regulatory frameworks alone drive openness—disclosure to affected individuals is often minimal unless strictly mandated.
Regulatory Lag
- Laws struggle to keep up with technological change (example: Australia's move to ban under-16s on social media and the unintended consequences thereof).
- "[L]egislation always lags behind technology by some number of years..." (Troy Hunt, 18:32)

The Future of Identity and Authentication

Identity Systems and Human Nature
- Current solutions (e.g., uploading IDs, facial scans) raise privacy and practicality questions.
- Age/identity verification exposes tensions between privacy, trust, and user experience.
- “[I]t's very, very, very hard to do any sort of identity insurance or verify or trust based on any of the assets that we have available to us today.” (Troy Hunt, 17:07)
Passwordless/Passkey Authentication
- Troy and Ann are hopeful, but realistic about the transition away from passwords.
  - "We do have much more viable alternatives today than when I was answering questions 10 years ago... passkeys I mentioned before are fantastic." (Troy Hunt, 28:10)
  - But, "we’re still going to have to deal with this...they’ll find the next path of least resistance..." (Troy Hunt, 28:25)

The Role and Impact of Have I Been Pwned

Personalization as a Wake-Up Call
- Seeing one’s own email in HIBP prompts board members and executives to take security personally.
  - "I just put have a beanpone in front of them, whack your email address into here..." (Troy Hunt, 09:12)
- The service's transparency and open data explanations also counter misinformation and misunderstanding about breach incidents.
Twelve Years of Impact
- HIBP’s growth surprised Troy as well: “No one is more surprised than me that it has...become...essential part of the fabric of many parts of the Internet.” (Troy Hunt, 20:16)
Limits to Influence
- "You can either do the right thing and be honest and tell everyone about it and that will line up with our messaging, or you can try and cover it up, say nothing, be dismissive, and we'll still give the right, accurate information to people..." (Troy Hunt, 24:24)

Memorable Quotes & Notable Moments

On Organizations and Disclosure:
- “The biggest blocker for organizations disclosing is that their number one priority is not to their customers...their number one priority...is to shareholders.” (Troy Hunt, 04:07)
On Human Error:
- “I got phished earlier this year...and I think that contextualizes it for everyone and shows that we all have a human weakness somewhere that'll take us can exploit.” (Troy Hunt, 10:46)
On the Value of Personalization:
- “If you can personalize, people pay attention...it's part of human DNA.” (Ann Johnson, 09:57)
On Transparency:
- “If an organization leaves a vacuum after a data breach, people will fill the vacuum. And very often it’s reporters that fill the vacuum.” (Troy Hunt, 26:29)
On Optimism:
- “We do have...more viable alternatives today...the passkeys I mentioned before are fantastic. Now, most people don’t know how they work, which is part of the problem. However, we do have a technical mechanism which does solve one of the greatest problems we have.” (Troy Hunt, 28:25)

Important Timestamps

[01:42] – Troy quantifies breach scale and repeat victimization.
[03:06] – Discussion on the greatest human weakness: lack of organizational disclosure.
[06:00] – The effect of selfishness on breach response and class actions.
[07:24] – “Breach fatigue” and normalization of notifications.
[10:46] – Troy's story of being phished—no one is immune.
[14:41] – How rapid, transparent response to being breached sets a positive example.
[15:45] – Challenges in designing human-first authentication and age verification.
[21:00] – Transparency as a defense against misinformation.
[22:31] – Regulatory gaps and constraints related to disclosure.
[24:24] – Advice for CISOs: control the message or the message controls you.
[28:10] – Why passwordless authentication is a hopeful (but not total) solution.

Conclusion: Looking Forward with Hope

The conversation ends on a note of "cyber optimism," recognizing both the persistent and evolving threat landscape and the steady progress in technical defenses, organizational culture, and industry-wide transparency. Troy emphasizes the importance of building systems—and communities—that expect breaches but are resilient and transparent in their response.

This summary provides the essential contents, memorable insights, and candid tone of the conversation, serving as a useful guide for anyone who hasn't listened to the episode.

Afternoon Cyber Tea with Ann Johnson

Episode Overview

Key Discussion Points & Insights

The Scale and Nature of Data Breaches

Billions of Records, Repeated Exposure
- HIBP tracks over 17 billion breached records, involving nearly 7 billion unique email addresses, meaning most individuals show up in multiple breaches.
- “When someone gets breached, they usually get breached more than once...the sum of the parts of these different breach ends up exposing very rich data sets about individual victims." (Troy Hunt, 01:42)
Overlapping Victimization
- Extended time online raises risk; m ost people (including Troy himself) have appeared in dozens of breaches due to long-term internet activity.

The Human Side: Weakness and Disclosure

Most Frustrating Weakness: Organizational Reluctance to Disclose
- Troy flagged not individual mistakes, but organizational reluctance to notify impacted users.
- “Maybe one of the human weaknesses we have here is actually not on behalf of the individual victims, but on behalf of the corporate victims.” (Troy Hunt, 03:06)
- Organizations often prioritize shareholder value over transparency to customers.
Corporate Psychology and Risk Aversion
- Companies' “number one priority … is to shareholders… organizations end up in a bit of a nasty position where they’re trying to publicly demonstrate how important security is...but inevitably it then leads to this, protecting the organisation, being careful what they say, not admitting to fault.” (Troy Hunt, 04:07)
- Disclosure systems are often inadequate and slow.

Human Behavior: Fatigue, Selfishness & Mistakes

Breach Fatigue
- Regular notifications desensitize individuals.
- “It’s a big yawn at this point in time because I’m like, okay, my data’s out there. I’m just gonna make sure I have more alerts and more strong authentication on my accounts.” (Ann Johnson, 07:00)
- Troy calls this “data breach fatigue,” leading people to develop resilience (password managers, alerts) rather than panic at every new breach.
Self-Interest Driving Negative Outcomes
- Class-action lawsuits by individuals can encourage organizations to withhold disclosures:
- "In this pursuit of selfishness, this gratification and making like literally a buck is it's driving organizations to be very standoffish and very defensive and not be transparent and not be expeditious and in some cases not disclose to individuals at all. And that's just a terrible outcome." (Troy Hunt, 06:00)
Even Experts Make Mistakes
- Troy candidly recounts falling for a phishing scam despite his expertise, due to jet lag and emotional vulnerability—demonstrating no one is immune to manipulation.
- "[E]ven experts make mistakes ... It helps other people feel not so bad." (Ann Johnson, 12:59)
- “I got phished earlier this year like proper successfully phished... People have moments of weakness, you know, they're tired, they're rushed, they're concerned about losing something. And now here we are.” (Troy Hunt, 10:46)
- Troy’s transparency turned the incident into an educational moment.

Organizational and Regulatory Challenges

Preparedness and Responsive Design
- Breaches are inevitable; organizations should focus on resiliency and containment, similar to business continuity planning.
- "If we had data breach response… as part of organizational preparedness… that would make a really big difference." (Troy Hunt, 08:26)
Transparency's Power and Limits
- Troy believes open processes (e.g., open-source code in HIBP) build trust and dispel myths.
  - “The great thing about transparency is that it's almost like a self evident proof.” (Troy Hunt, 21:00)
- However, he’s skeptical regulatory frameworks alone drive openness—disclosure to affected individuals is often minimal unless strictly mandated.
Regulatory Lag
- Laws struggle to keep up with technological change (example: Australia's move to ban under-16s on social media and the unintended consequences thereof).
- "[L]egislation always lags behind technology by some number of years..." (Troy Hunt, 18:32)

The Future of Identity and Authentication

Identity Systems and Human Nature
- Current solutions (e.g., uploading IDs, facial scans) raise privacy and practicality questions.
- Age/identity verification exposes tensions between privacy, trust, and user experience.
- “[I]t's very, very, very hard to do any sort of identity insurance or verify or trust based on any of the assets that we have available to us today.” (Troy Hunt, 17:07)
Passwordless/Passkey Authentication
- Troy and Ann are hopeful, but realistic about the transition away from passwords.
  - "We do have much more viable alternatives today than when I was answering questions 10 years ago... passkeys I mentioned before are fantastic." (Troy Hunt, 28:10)
  - But, "we’re still going to have to deal with this...they’ll find the next path of least resistance..." (Troy Hunt, 28:25)

The Role and Impact of Have I Been Pwned

Personalization as a Wake-Up Call
- Seeing one’s own email in HIBP prompts board members and executives to take security personally.
  - "I just put have a beanpone in front of them, whack your email address into here..." (Troy Hunt, 09:12)
- The service's transparency and open data explanations also counter misinformation and misunderstanding about breach incidents.
Twelve Years of Impact
- HIBP’s growth surprised Troy as well: “No one is more surprised than me that it has...become...essential part of the fabric of many parts of the Internet.” (Troy Hunt, 20:16)
Limits to Influence
- "You can either do the right thing and be honest and tell everyone about it and that will line up with our messaging, or you can try and cover it up, say nothing, be dismissive, and we'll still give the right, accurate information to people..." (Troy Hunt, 24:24)

Memorable Quotes & Notable Moments

On Organizations and Disclosure:
- “The biggest blocker for organizations disclosing is that their number one priority is not to their customers...their number one priority...is to shareholders.” (Troy Hunt, 04:07)
On Human Error:
- “I got phished earlier this year...and I think that contextualizes it for everyone and shows that we all have a human weakness somewhere that'll take us can exploit.” (Troy Hunt, 10:46)
On the Value of Personalization:
- “If you can personalize, people pay attention...it's part of human DNA.” (Ann Johnson, 09:57)
On Transparency:
- “If an organization leaves a vacuum after a data breach, people will fill the vacuum. And very often it’s reporters that fill the vacuum.” (Troy Hunt, 26:29)
On Optimism:
- “We do have...more viable alternatives today...the passkeys I mentioned before are fantastic. Now, most people don’t know how they work, which is part of the problem. However, we do have a technical mechanism which does solve one of the greatest problems we have.” (Troy Hunt, 28:25)

Important Timestamps

[01:42] – Troy quantifies breach scale and repeat victimization.
[03:06] – Discussion on the greatest human weakness: lack of organizational disclosure.
[06:00] – The effect of selfishness on breach response and class actions.
[07:24] – “Breach fatigue” and normalization of notifications.
[10:46] – Troy's story of being phished—no one is immune.
[14:41] – How rapid, transparent response to being breached sets a positive example.
[15:45] – Challenges in designing human-first authentication and age verification.
[21:00] – Transparency as a defense against misinformation.
[22:31] – Regulatory gaps and constraints related to disclosure.
[24:24] – Advice for CISOs: control the message or the message controls you.
[28:10] – Why passwordless authentication is a hopeful (but not total) solution.

Conclusion: Looking Forward with Hope

This summary provides the essential contents, memorable insights, and candid tone of the conversation, serving as a useful guide for anyone who hasn't listened to the episode.

wavePod

Inside Data Breaches and Human Behavior with Troy Hunt

Get Free Podcast Summaries in Your Inbox

Pick Your Shows

Subscribe Free

Get Instant Summaries

Summary

Afternoon Cyber Tea with Ann Johnson

Episode Overview

Key Discussion Points & Insights

The Scale and Nature of Data Breaches

The Human Side: Weakness and Disclosure

Human Behavior: Fatigue, Selfishness & Mistakes

Organizational and Regulatory Challenges

The Future of Identity and Authentication

The Role and Impact of Have I Been Pwned

Memorable Quotes & Notable Moments

Important Timestamps

Conclusion: Looking Forward with Hope

Summary

Afternoon Cyber Tea with Ann Johnson

Episode Overview

Key Discussion Points & Insights

The Scale and Nature of Data Breaches

The Human Side: Weakness and Disclosure

Human Behavior: Fatigue, Selfishness & Mistakes

Organizational and Regulatory Challenges

The Future of Identity and Authentication

The Role and Impact of Have I Been Pwned

Memorable Quotes & Notable Moments

Important Timestamps

Conclusion: Looking Forward with Hope