We see this problem first hand. Every day, we find breached or leaked data (including customer credentials and PII). We make several attempts to notify these companies through any and/or all available channels, but are ignored most of the time. 

Most of these organizations do not have responsible breach disclosure practices or a vulnerability disclosure policy (VDP) in place.  

However, it is their responsibility to protect their company and customer data and be transparent when things go wrong.