> as they set a ticking clock of 72 hours from the breach to notifying individuals who are in the breach

It doesn't, that 72 hours is for notifying the DPA (Article 33). There is no strict timeline for data subject notification (Article 34), just that it must be done "without undue delay".

And the time limits start running when controller becomes aware of the breach (be it minutes or years after the actual breach). If processor is breached the time limits only start running once they notify the controller. Time limit to notify controller is "without undue delay" (33(2)). I don't think there is a lot of case law around what that exactly means.