Last month I reported on a breach involving a Great River Entertainment facility. Great River notified the New Hampshire Attorney General’s Office of the breach on October 1, but the timeline is somewhat disturbing:
1. In November 2011, they were informed that guests were experiencing fraud on cards used there.
2. On or about March 1, 2012, Security Metrics confirmed that there had been a breach involving malware.
3. On September 15, 2012, notices were sent to guests from the card issuers because Great River’s PAS does not retain cardholders’ names.
Why the six-month gap from confirmation to notification?
In total, there was a 10-month gap between the time they were first notified that there was a problem and the time guests were notified. That’s way too long by today’s standards, and I wonder whether states attorney general will open investigations or try to fine them for the late notification.