Apparently Equifax had another, separate breach in March of this year, 5 months before the breach that they have already announced.
Equifax hired the security firm Mandiant to check into both breaches, but since they have not said anything about this first breach, we really don’t know much about it.
One assumes that this secret earlier breach will only fuel the fires behind the dozens of lawsuits and separate dozens of investigations.
It will also make people wonder about those executive stock sales – the ones NOT on the SEC sale schedule and which occurred a couple of days before the announcement of the second breach but months after the first breach.
It is possible that they discovered the first breach before any data was stolen, but if that was the case, how do you explain how the second breach, only a few months later, went undetected for several months? There is no logic that can explain this.
We have also seen cases where the breached company didn’t want to find any evidence of something that would require them to notify anyone. Breach? Breach? What breach? I don’t see any breach. If you tell the investigators to only look in one corner where nothing happened, they likely won’t find any problems. The company said that they have complied with all mandatory notifications regarding the March breach.
The fact that Equifax was lobbying Congress to reduce their breach reporting requirements at the same time that they were investigating the first breach is, shall we say, a bit problematic. And it has terrible optics.
Is this the final straw that has the board fire the CEO? I don’t know but I would not be surprised.
Another source is saying that the goal of the attackers may have been to use Equifax to breach some of Equifax’s large banking partners. At least one bank appears to have been compromised and Equifax says that it is working with its banking partners to mitigate damage.
Information for this post came from Bloomberg.