How do you even differentiate this from routine server maintenance that installs kernel patches etc. Theoretically those are all vulnerabilities that exposed data and every single company which is learning of them through CVE etc., should be reporting potential breaches if you hold companies to that bar.