In the United States, yes, companies must disclose that information in accordance with security breach notification laws.

Breaches must be reported if “sensitive personally identifying information has been acquired or is reasonably believed to have been acquired by an unauthorized person, and is reasonably likely to cause substantial harm to the individuals to whom the information relates.”