Hacked Credit Agency Equifax ‘Hit By Separate Intrusion In March’

Equifax was aware of a significant breach to its systems in March, according to a report, in a development that adds to the credit reporting agency’s woes.

On 7 September the firm disclosed that hackers had accessed the personal details of millions of individuals, including 143 million US citizens and about 400,000 British citizens.

Second breach

An Equifax representative confirmed that the organisation had become aware of a breach in March and said disclosure rules had been followed. The March incident hasn’t yet been made public.

Equifax said the March hack wasn’t directly related to the later breach, which it has said occurred in mid-May, but an unnamed individual familiar with the matter told Bloomberg it was carried out by the same individuals.

Bloomberg’s report speculated that the March incident may not have involved the theft of sensitive data on Equifax’s customers, and may instead have been aimed at stealing credentials that could be used to hack into the systems of banks or other financial institutions with which Equifax does business.

Mandiant was reportedly engaged to investigate the March breach and could have begun concluding its investigation just before the second breach occurred in May.

The first incident reportedly affected a small number of outsiders and banking customers, who were notified of it in early March.

Equifax said in a statement it is “working diligently with our bank partners to assess and mitigate any impact to their operations”.

More questions

While the disclosure of the second major hacking incident doesn’t suggest Equifax’s previous statements about the theft of personal data in May are inaccurate, it raises additional questions around the security of the information held by one of the world’s largest credit reporting agencies.

It may also bear on the investigation into unusual stock sales by several Equifax executives in the days following the discovery of the May incident.

Equifax has said that breach came to light internally on 29 July and that it engaged computer security firm Mandiant to investigate on 2 August.

Three of Equifax’s top executives sold shares worth nearly $1.8 million (£1.33m) on 1 and 2 August, according to regulatory filings.

If the executives sold the shares with knowledge that a breach had occurred that could damage the company’s stock price they would be guilty of insider trading. Equifax has said the executives weren’t aware of the breach at the time of the sales.

Attack fallout

Equifax has been damaged by the disclosure of the May breach, with two senior security executives announcing their immediate retirement on Friday. The incidents have resulted in a number of investigations and lawsuits targeting the company.

The US Justice Department has opened a criminal investigation into the share sales, Bloomberg said, citing unnamed sources, while Atlanta’s federal prosecutor said on Monday he was working with the FBI on a criminal investigation focusing on the data breach.

The Consumer Financial Protection Bureau, the Federal Trade Commission and at least 34 state attorneys general have opened inquiries into the attack, while the House Energy and Commerce Committee and the House Financial Services Committee have said they’re holding hearings on the matter.

“The scope and scale of this cyberattack is unprecedented,” stated Maria Vullo, superintendent of the New York Department of Financial Services, on Monday.

She added the department is providing guidelines to ensure the attack receives “the highest level of attention and vigilance at New York’s regulated institutions”.

Do you know all about security in 2017? Try our quiz!