Credit monitoring agency Equifax has revealed that it was the victim of a major cyber security breach in March. This is as well as the huge hack it suffered in May which compromised the data of 143 million US customers.
Although the company is obliged to notify its customers when there’s a security breach, the millions of Americans whose data the business stockpiles to power its services are not technically customers and so were not informed.
However, after a Bloomberg report exposed them, they were forced to come clean about the breach in a statement:
“Earlier this year, during the 2016 tax season, Equifax experienced a security incident involving a payroll-related service. The incident was reported to customers, affected individuals and regulators. This incident was also covered in the media.”
“The March event reported by Bloomberg is not related to the criminal hacking that was discovered on 29 July. Mandiant has investigated both events and found no evidence that these two separate events or the attackers were related. The criminal hacking that was discovered on 29 July did not affect the customer databases hosted by the Equifax business unit that was the subject of the March event.”
Equifax is facing criticism over the delay between its May breach and the admittance to customers (four months later) that their data may have been stolen. During this period, a number of Equifax executive sold stocks in the company, sparking an investigation into what may have been insider trading, despite the fact that Equifax has always insisted that the executives were unaware of the breach.
Last week, the company announced that their chief information officer and chief security officer would be leaving with immediate effect.