Earlier hack came in March
Equifax learned about a major breach of its computer systems in March — almost five months before the date it has publicly disclosed, according to three people familiar with the situation.
In a statement, the company said the March breach was not related to the hack that exposed the personal and financial data on 143 million U.S. consumers, but one of the people said the breaches involve the same intruders. Either way, the revelation that the credit reporting agency suffered two major incidents in the span of a few months adds to a mounting crisis at the company, which is the subject of multiple investigations.
Equifax hired the security firm Mandiant on both occasions and may have believed it had the initial breach under control, only to have to bring the investigators back when it detected suspicious activity again on July 29, two of the people said.
Equifax’s hiring of Mandiant the first time was unrelated to the July 29 incident, the company spokesperson said. The company said it experienced a security incident involving a payroll-related service during the 2016 tax season earlier this year. Equifax said the incident was reported to customers, affected individuals and regulators. FireEye, Mandiant’s parent company, declined to comment.
The revelation of a March breach will complicate Equifax’s efforts to explain unusual stock sales by Equifax executives.
Equifax has said the executives had no knowledge that an intrusion had occurred when the transactions were made.