Bloomberg reports that Equifax suffered a breach to its system in March of this year, months before the serious hack the credit firm announced earlier this month that put the personal identity information of 143 million Americans at risk (emphasis ours).
Equifax Inc. learned about a major breach of its computer systems in March — almost five months before the date it has publicly disclosed, according to three people familiar with the situation.
In a statement, the company said the March breach was not related to the hack that exposed the personal and financial data on 143 million U.S. consumers, but one of the people said the breaches involve the same intruders. Either way, the revelation that the 118-year-old credit-reporting agency suffered two major incidents in the span of a few months adds to a mounting crisis at the company, which is the subject of multiple investigations and announced the retirement of two of its top security executives on Friday.
Equifax hired the security firm Mandiant on both occasions and may have believed it had the initial breach under control, only to have to bring the investigators back when it detected suspicious activity again on July 29, two of the people said.
The company is under major fire as it was revealed last week the breach was due to Apache web platform software running without a critical patch. In addition, the US Department of Justice is now investigating three of the company’s top executives for possible insider trading.
Investigators are looking at the stock sales by Equifax’s chief financial officer, John Gamble; its president of U.S. information solutions, Joseph Loughran; and its president of workforce solutions, Rodolfo Ploder, said two of the people, who asked not to be named because the probe is confidential.
The company and the executives didn’t immediately respond to requests for comment.
Equifax disclosed earlier this month that it discovered a security breach on July 29. The three executives sold shares worth almost $1.8 million in early August. The company has said the managers didn’t know of the breach at the time they sold the shares.
Regulatory filings don’t show that the transactions were part of pre-scheduled trading plans.