Why not name and shame?
My concern is that it won't do anything to just silently contact the companies, in hopes of them fixing the problems (which shouldn't have happened in the first place: seriously, SQL injection in 2014?!).
Maybe it's high time to go beyond and legislate it: you *must* disclose the breach(es) and you are also liable if negligence can be shown (as above: SQL injection in this day and age *is* negligent)
IIRC, California does that, or tried to. (quick google shows me that they did, though I didn't easily find anything showing the effectiveness)