Equifax, the credit reporting agency which recently lost said credit information on up to 143 million people to hackers, experienced another security breach months before it has already disclosed—and this news broke on the same day it was reported senior Equifax executives are being investigated for selling off stock after the attack.
Per Bloomberg, three people familiar with the situation have said intruders successfully launched a “major breach” in March. That is months before the previously known breach, which Equifax says began in May and it learned of in late July. At least one of the three people who spoke to the news agency said the same hackers were behind both breaches, though the company says they were unrelated incidents.
Equifax hired security firm Mandiant after the March breach, which conducted a multi-month investigation, “only to have to bring the investigators back when it detected suspicious activity again on July 29,” Bloomberg reported.
“The retention of Mandiant in March was unrelated to the July 29 cybersecurity incident,” an Equifax spokesperson told Gizmodo in a statement. “Equifax complied fully with all consumer notification requirements related to the March incident. The two events are not related.”
The later breach exploited a vulnerability in open-source server framework software Apache Struts which Equifax failed to fix for months after a patch was available.
Meanwhile, investment news site ThinkAdvisor wrote people familiar with the matter say the US Department of Justice has launched an investigation into whether three top Equifax executives broke the law by selling off over a million dollars in stock after the company learned of the hack.
Investigators are looking into whether Equifax chief financial officer John Gamble, president of U.S. information solutions Joseph Loughran and president of workforce solutions Rodolfo Ploder knew of the breach when they sold off over $1.8 million in stock. The sales were not pre-scheduled, and anyone in the loop on the hack would have known Equifax stock was about to take a serious hit—though the company says the managers were not informed of the breach prior to the sales.
Equifax recently said two senior executives, Chief Information Officer David Webb and Chief Security Officer Susan Mauldin, were already “retiring.”
According to ThinkAdvisor, Atlanta prosecutors, the FBI and the Securities and Exchange Commission are all involved in the multiple federal probes into the hacks and the suspicious sales. The Federal Trade Commission has publicly confirmed its own inquiry, saying it usually does not comment on ongoing investigations but wanted to make it known “in light of the intense public interest and the potential impact of this matter.”
Update 9/19/2017: Equifax has forwarded an additional statement to Gizmodo:
In response to the Bloomberg story attempting to connect two separate Cybersecurity events and suggesting the earlier event went unreported, Equifax offers the following response.
Earlier this year, during the 2016 tax season, Equifax experienced a security incident involving a payroll-related service. The incident was reported to customers, affected individuals and regulators. This incident was also covered in the media.
The March event reported by Bloomberg is not related to the criminal hacking that was discovered on July 29. Mandiant has investigated both events and found no evidence that these two separate events or the attackers were related. The criminal hacking that was discovered on July 29 did not affect the customer databases hosted by the Equifax business unit that was the subject of the March event.