In addition to this summer’s massive attack, Equifax suffered an earlier breach of its systems in March, the company revealed Monday.
While the company has been relatively transparent around May’s breach related to 143 million U.S. consumers, details around March’s breach, including how its systems were penetrated or exactly what information may have been stolen, are scant.
Bloomberg News broke the news late Monday citing three people familiar with the incident. The report suggested that while the March breach was unrelated to this summer’s, it could have involved the same attackers.
According to a statement provided to Threatpost by Equifax on Tuesday, that’s not the case. An Equifax spokesman stressed via email that Mandiant, the FireEye owned firm hired to look into the incidents, found no evidence that these two separate events or the attackers were related.
Security breach notification laws ensure that companies notify individuals of security breaches when they involve personally identifiable information. Equifax says it did just that earlier this year, notifying customers, affected individuals and regulators:
“Earlier this year, during the 2016 tax season, Equifax experienced a security incident involving a payroll-related service. The incident was reported to customers, affected individuals and regulators. This incident was also covered in the media. The March event reported by Bloomberg is not related to the criminal hacking that was discovered on July 29. Mandiant has investigated both events and found no evidence that these two separate events or the attackers were related. The criminal hacking that was discovered on July 29 did not affect the customer databases hosted by the Equifax business unit that was the subject of the March event.”
The company didn’t get into specifics but it appears an Equifax subsidiary, TALX, also known as Equifax Workforce Solutions, was the source of the March breach. Krebsonsecurity.com reported in May that there was a breach at the company, which acts as an online payroll, HR and tax service for Equifax, earlier this year. From April 17, 2016 to March 29, 2017 attackers apparently reset four digit PINs given to customer employees as a password, then stole W2 data after answering questions about them.
It’s unclear how many customers were affected by the March breach but according to Krebs, who sourced a series of public data breach notification letters, it appears a handful of individuals working at Northrop Grumman, Allegis Group, Saint-Gobain Corp., Erickson Living, and the University of Louisville were among those affected.
News of the second breach comes two days after the company confirmed that two senior executives, chief information officer David Webb and chief security officer Susan Mauldin, would be retiring.
The news also comes on the heels of warnings issued by credit card companies Visa and Mastercard. While roughly 143 million Americans’ Social Security numbers, birth dates, addresses, and some driver’s license numbers, were impacted by the breach, Krebs said last week the two companies were alerting financial institutions that more than 200,000 cards were stolen as part of the breach. Internal notices sent by the company hint that Equifax was breached back in November 2016 but the company disputes those claims and insists the information was stolen, as its original report said, from mid-May to July.