Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
  HOME     MENU     SEARCH     NEWSLETTER    
THE ENTERPRISE SECURITY SUPERSITE. UPDATED 8 MINUTES AGO.
You are here: Home / Data Security / Equifax Reveals Earlier Data Breach
Equifax Suffered Breach Before Massive May Hack
Equifax Suffered Breach Before Massive May Hack
By Alex Hern Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
SEPTEMBER
19
2017
Equifax, the credit monitoring agency that lost personal data of 143 million US customers in a massive hack in May, has revealed that it was also the victim of an earlier breach in March.

The earlier breach was serious enough for the company to notify customers, and bring in the information security firm Mandiant to investigate. But the millions of Americans whose personal data the company stockpiles to power its services are not technically customers of the company, and so it did not inform them.

Following a report by Bloomberg, Equifax came clean about the breach in a statement. "Earlier this year, during the 2016 tax season, Equifax experienced a security incident involving a payroll-related service. The incident was reported to customers, affected individuals and regulators. This incident was also covered in the media."

Specialist blog Krebs on Security was one of the few outlets to cover the breach at the time -- when Equifax initially disclosed the hack to customers in May, two months later.

"The March event reported by Bloomberg is not related to the criminal hacking that was discovered on 29 July," Equifax's statement continues. "Mandiant has investigated both events and found no evidence that these two separate events or the attackers were related. The criminal hacking that was discovered on 29 July did not affect the customer databases hosted by the Equifax business unit that was the subject of the March event."

Five organizations are known to have received warnings from Equifax that their data was unlawfully accessed in March, and the company also sent a letter to the New Hampshire attorney general admitting to the breach.

In the letter, the company revealed that the attackers "gained access to the accounts primarily by successfully answering personal questions about the affected employees in order to reset the employees' pins," As a result, it was unable to even work out how much fraudulent access occurred, since the logins looked legitimate for its system.

Equifax is already facing criticism for the long delay between the May breach and its revelation to consumers that their data had been stolen, which came four months later. In the intervening period, multiple Equifax executives sold stock in the company, prompting an investigation from US regulators over whether or not they were committing insider trading.

Equifax has always insisted that the executives were unaware of the May breach at the time they sold their stock, but the March breach adds a twist to the tale.

Alongside the 143 million US consumers whose data was stolen, 400,000 UK residents also had their data illegally accessed, Equifax confirmed. Unlike the Americans, however, the Britons only had names, dates of birth, email addresses and telephone numbers stolen -- postal addresses or government ID numbers were not included.

On Friday, the company announced that two executives, its chief information officer and chief security officer, would leave the company immediately. It also revealed, on Wednesday, that the root of the breach was a known flaw in the software package Apache. The flaw had been discovered and fixed by Apache in March, but Equifax had not applied the patch to its own systems by May.

The company said its security officials were "aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company's IT infrastructure."

© 2017 Guardian Web under contract with NewsEdge/Acquire Media. All rights reserved.

Image credit: iStock.

Tell Us What You Think
Comment:

Name:

Diane:
Posted: 2017-09-25 @ 6:33am PT
Based on what I have read thus far, it seems as though a person is not safe no matter what! What should one do? This is very confusing. Is it safe for me to even do this?

Please do not post my name. I guess that does not matter either. Everyone knows everything! No privacy at all. I was just about to join LifeLock, now I do not know. Also, they advertise they are open 24/7 no one answered after I saw ad early this morning!?

Like Us on FacebookFollow Us on Twitter
MORE IN DATA SECURITY
ENTERPRISE SECURITY TODAY
NEWSFACTOR NETWORK SITES
NEWSFACTOR SERVICES
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.