In late September, Yahoo announced that at least 500 million user accounts had been compromised. The data stolen included users’ names, email addresses, telephone numbers, dates of birth and encrypted passwords, but not credit card data.

Large data breaches have become increasingly common: Just in 2016 we have found out about Yahoo’s breach as well as the LinkedIn hack (compromising 167 million accounts) and the MySpace breach (360 million accounts).

The Yahoo breach affected more users than the other two, but all of them share a crucial element: They were announced to the public years after the fact. The LinkedIn hack happened in 2012, MySpace was breached in 2013 and Yahoo was hacked in 2014. Not until 2016 did users of the three sites found out their information had been stolen.

When personal information is stolen, rapid response is important. Customers need to change their passwords, and take other steps to protect their identity, including securing bank accounts and credit records. If people don’t know a breach has occurred and that they need to take these protective steps, they remain vulnerable.

So why does it take such a long time for companies to disclose that they have been hacked? It’s not as simple as you might think – or hope.