Equifax was hacked in March, but kept quiet for months, adding to an already troubling timeline
Credit-score firm admits a breach occurred long before July 29 incident that exposed 143 million customers, but says the two hacks were unrelated
Equifax Inc learned about a major breach of its computer systems in March – almost five months before the date it has publicly disclosed, according to three people familiar with the situation.
In a statement, the company said the March breach was not related to the hack that exposed the personal and financial data on 143 million US consumers, but one of the people said the breaches involve the same intruders. Either way, the revelation that the 118-year-old credit-reporting agency suffered two major incidents in the span of a few months adds to a mounting crisis at the company, which is the subject of multiple investigations and announced the retirement of two of its top security executives on Friday.
Equifax hired the security firm Mandiant on both occasions and may have believed it had the initial breach under control, only to have to bring the investigators back when it detected suspicious activity again on July 29, two of the people said.
Equifax’s hiring of Mandiant the first time was unrelated to the July 29 incident, the company spokesperson said. Vitor De Souza, senior vice-president for global marketing at FireEye Inc., Mandiant’s parent company, declined to comment.
The revelation of a March breach will complicate the company’s efforts to explain a series of unusual stock sales by Equifax executives. If it’s shown that those executives did so with the knowledge that either or both breaches could damage the company, they could be vulnerable to charges of insider trading. The US Justice Department has opened a criminal investigation into the stock sales, according to people familiar with the probe.
Equifax has said the executives had no knowledge that an intrusion had occurred when the transactions were made. The company’s shares fell as much as 1.3 per cent in after-hours trading. The stock closed at US$94.38 in New York on Monday.
New questions about Equifax’s timeline are also likely to become central to the crush of lawsuits being filed against the Atlanta-based company. Investigators and consumers alike want to know how a trusted custodian of so many Americans’ private data could let hackers gain access to the most important details of financial identity, including social security and driving licence numbers, and steal credit card numbers.
In public statements since disclosing the intrusion on September 7, Equifax said it became aware of the breach only after the data taken by the hackers had been gone for months. The company said it discovered the incident on July 29 and “acted immediately to stop the intrusion and conduct a forensic review.” Equifax hired Mandiant to help with the probe on August 2, and said the investigators eventually learned that the hackers had accessed the data in mid-May.
There’s no evidence that the publicly disclosed chronology is inaccurate, but it leaves out a set of key events that began earlier this spring, the people familiar with the probe said.
In early March, they said, Equifax began notifying a small number of outsiders and banking customers that it had suffered a breach and was bringing in a security firm to help investigate. The company’s outside counsel, Atlanta-based law firm King&Spalding, first engaged Mandiant at about that time. While it’s not clear how long the Mandiant and Equifax security teams conducted that probe, one person said there are indications it began to wrap up in May. Equifax has yet to disclose that March breach to the public.
One possible explanation, according to several veteran security experts consulted by Bloomberg, is that the investigation didn’t uncover evidence that data was accessed. Most data breach disclosure laws kick in only once there’s evidence that sensitive personal identifying information like social security numbers and birth dates have been taken. The Equifax spokesperson said the company complied fully with all consumer notification requirements related to the March incident.
Even so, the revelation of an earlier breach will likely raise questions for the company’s beleaguered executives over whether that investigation was sufficiently thorough or if it was closed too soon. For example, Equifax has said that the hackers entered the company’s computer banks the second time through a flaw in the company’s web software that was known in March but not patched until the later activity was detected in July.
Security experts say victim companies have wide leeway about how deep an investigation they want outside investigators to do. Some clients will limit the breadth of access or the time outside investigators can spend on site. Others want a full assessment that encompasses their entire computer network and could include the identification of existing security vulnerabilities. Cost is often a consideration, but the victim company might also believe a breach’s scope is limited.
It’s the stock sales by several executives that are likely to get the most scrutiny in light of the new timeline. On August 1 and August 2, regulatory filings show that three senior Equifax executives sold shares worth almost US$1.8 million. Equifax’s Chief Financial Officer John Gamble sold shares worth $946,374; Joseph Loughran, president of US information solutions, exercised options to dispose of stock worth $584,099; and Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock.
Equifax has said the executives “had no knowledge that an intrusion had occurred at the time,” and the company spokesperson declined to make them available for comment.