Equifax, the credit reference agency at the centre of a major data breach in the US, is said to have been the victim of a hack in March – nearly five months before the date it has disclosed.
That’s according to Bloomberg, who quote three people familiar with the situation.
However, Equifax said in a statement that the March breach was not related to the hack that exposed the personal and financial data of 143 million US consumers and 400,000 UK consumers – but one of Bloomberg’s sources suggested that the breaches involved the same cyber attackers.
Mandiant, the cyber security firm, was hired on both occasions; the suggestion is that the company had the initial breach under control, but had to bring specialists back when it detected suspicious activity again on July 29.
The latest revelations cause further damage to the 118-year-old company, as it pushes further into crisis.
The US Department of Justice has launched a criminal investigation of the data breach, with a focus on the stock sales made by Equifax executives. Regulatory filings on August 1 and August 2 show that the chief financial officer John Gamble sold shares worth nearly a million dollars, and Joseph Loughran, president of US information solutions disposed stock of $584,099. Rodolfo Ploder, president of workforce solutions sold a quarter of million dollars worth of stock. None of the filings were scheduled as part of the company’s trading plans. Gamble had earlier sold 14,000 shares – to the value of $1.91m on May 23.
If it is shown that the executives sold stock knowing that either the March or July data breaches were likely to damage the company’s reputation they could be charged with insider trading.
However, Equifax insisted that its executives “had no knowledge that an intrusion had occurred at the time”.
Either way, the firm is likely to be asked why details of the March breach had not been revealed at an earlier date, and for a clear timeline of events. The most scrutiny will be on how the dates of the cyber breaches match the dates of the shares that have been sold by executives.
Meanwhile, the Atlanta-based company’s problems don’t stop there. It also has to deal with nearly 40 US states that have joined a probe of the firm’s handling of the data breach, Congress is also probing the hack, and Equifax will have to gear up for a number of lawsuits to be filed against it.
On Friday, the company announced that its chief information officer (CIO) and chief security officer (CSO) had ‘retired’.