The October incident, involving a vulnerability in third-party software, went undetected for three months. The Phoenix, Arizona-based lender then took 46 days to disclose it.