They knew about the breach June 1, confirmed June 6, but the information is only made public after almost five months, November 27? (After a "second, more lengthy investigation".)
It is absurd, and it violates the mandatory timely notification laws which are in place in many states, including Washington.
Umpqua bank was also affected by MoveIt by way of one of their fintech vendors (FIS), they didn't even bother to notify my state's AG, as required by law, nor did they provide timely or accurate notifications.
Maybe companies feel a diffusion of responsibility when there are so many others affected.
This is better than nothing, but it seems absurd.