California Dept. of Consumer Affairs has a breach, but doesn’t notify those affected for 6 months?

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.databreaches.net/?p=28113

Ouch. The California  Department of Consumer Affairs – Bureau of
Automotive Repair  (“BAR”) learned that a service provider had a
network intrusion breach  that gave someone access to bank account
numbers and bank routing numbers belonging to the Smog Check stations
licensed by the BAR.

The breach reportedly occurred between May 2012 and March 2013, but
according to their notification to the state, they first discovered
the breach on January 4, 2013. So why the six-month delay in
notification?  And why did it take their service provider so long to
discover the breach?
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss-discuss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.