Equifax Inc. (NYSE:EFX) has disclosed that it suffered a major breach of its computer systems in March. This breach occurred almost five months before the most recently disclosed breach that affected roughly 143 million consumers. In a statement, the company said the March breach was not related to the hack that it disclosed on Sept. 7.
In early March, Equifax began notifying a small number of outsiders and banking customers of a discovered breach and said it was bringing in a security firm to help investigate. The company then hired the security firm Mandiant to assist with the investigation. The Mandiant and Equifax security teams conducted a probe, but it is unclear whether any data was compromised in that breach.
The company did not immediately disclose breach uncovered in March. An Equifax spokesperson said the company complied fully with all consumer notification requirements related to the March incident. Most data breach disclosure laws kick in only after evidence has shown that sensitive personal identifying information have been accessed.
The company has suffered two major incidents in the span of a few months. A subsequent attack discovered in July let hackers gain access to the most important details of many Americans’ private identity, including social security and driver’s license numbers, and steal credit card numbers. Equifax said it became aware of the breach only after the data had been exposed for months. The company said it “acted immediately to stop the intrusion and conduct a forensic review.”
According to people familiar with the situation, the breaches involve the same intruders. Equifax has said that the hackers accessed the company’s computer banks the second time using a flaw in the company’s web software uncovered in March but not patched until the second breach was detected in July.
The revelation adds to a mounting crisis at the 118-year-old credit-reporting agency. Numerous lawsuits are being filed against the Atlanta-based company. The company announced the retirement of two of its top security executives last Friday.
The revelation of a March breach will also make the company’s efforts to explain a series of unusual stock sales by Equifax executives more complicated. Regulatory filings show that three senior Equifax executives sold shares worth almost $1.8 million on Aug. 1 and Aug. 2. Equifax’s Chief Financial Officer John Gamble sold shares worth $946,374; president of U.S. information solutions Joseph Loughran sold stock worth $584,099; and president of workforce solutions Rodolfo Ploder sold $250,458 of stock.
The U.S. Justice Department has opened a criminal investigation into the stock sales. None of the filings listed the transactions as being part of scheduled 10b5-1 trading plans. If those executives made the sales with the knowledge that either or both breaches could damage the company, they could be charged with insider trading. Equifax claims that when the transactions were made, the executives had no knowledge that an intrusion had occurred.