Dwell Time & Response AnatomyThe initial access occurred on March 9, but it was only officially reported on June 26, according to a notice filed with the Maine Attorney General's Office. However, the dwell time for the cyberattackers before discovery was "much narrower" than that timeline would suggest, according to the company's spokesperson.Rather than months, the attackers apparently went unnoticed for a little more than two weeks. The first inkling that there was a problem was a systems anomaly alert on March 25. HealthEquity said it took immediate action upon receiving the alert from its vendor, resolving the issue quickly and then kicking off an "extensive technical investigation and … data forensics" effort that lasted through June 10.That was followed by a validation of the data theft that wrapped up June 26. After that, the company was finally able to file notifications with state authorities, and also notified the US Securities and Exchange Commission although it wasn't mandated to do so."We have taken immediate, proactive and prudent action since we first discovered an anomaly with our third-party vendor," the company said in a statement shared with Dark Reading. "This included quickly resolving the issue, bringing together a team of outside and internal experts to investigate, and preparing for response."The spokesperson also noted that incident response is an ongoing effort: HealthEquity is now in the process of notifying partners, clients and members, and is working with its vendors to prevent future incidents.