When Equifax first disclosed the shocking news on September 7 that its servers and some 143 million private account had been hacked, leaking everything from names, to addresses, to social security numbers, it stated in its press release that it had "learned of the incident on July 29, 2017" adding that "at which point it reported the intrusion to law enforcement and contracted a cybersecurity firm to conduct a forensic review: based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017."
As we commented then, it "oddly enough took shareholders and over a third of America, more than a month longer to learn that all their personal data may have been compromised."
And now, according to Bloomberg, it appears the company had lied again as it wasn't "only one month" but nearly six that the company was aware that its systems had been violated without acting on the information::
Equifax Inc. learned about a major breach of its computer systems in March -- almost five months before the date it has publicly disclosed, according to three people familiar with the situation
While the March breach was reportedly not related to the hack that exposed the personal and financial data on 143 million U.S. consumers, "one of the people said the breaches involve the same intruders. Either way, the revelation that the 118-year-old credit-reporting agency suffered two major incidents in the span of a few months adds to a mounting crisis at the company, which is the subject of multiple investigations and announced the retirement of two of its top security executives on Friday." That one of the top security executives also happened to be a music major who desperately tried to scrub her public background has not helped the company's case.
Some further details from Bloomberg:
Equifax hired the security firm Mandiant on both occasions and may have believed it had the initial breach under control, only to have to bring the investigators back when it detected suspicious activity again on July 29, two of the people said.
Equifax’s hiring of Mandiant the first time was unrelated to the July 29 incident, the company spokesperson said. Vitor De Souza, senior vice president for global marketing at FireEye Inc., Mandiant’s parent company, declined to comment.
As Bloomberg hedges, "there’s no evidence that the publicly disclosed chronology is inaccurate, but it leaves out a set of key events that began earlier this spring, the people familiar with the probe said."
In any even, while the company's lawyers are surely looking for just the right explanation to justify sitting on news of cyberbreach for months before it was too late, the revelation of the March hack will complicate the company’s efforts to explain a series of unusual stock sales by Equifax executives.
If it’s shown that those executives did so with the knowledge that either or both breaches could damage the company, they could be vulnerable to charges of insider trading.
As reported earlier, the U.S. Justice Department has opened a criminal investigation into the stock sales, according to people familiar with the probe. As a reminder, Equifax originally disclosed that it discovered the security breach on July 29, and shortly after - in early August - the three executives sold shares worth almost $1.8 million.
The company has said the managers didn’t know of the breach at the time they sold the shares, although in light of the latest news that appears rather inconceivable.
Insider trading charges aside, there is the question of all those piling lawsuits:
new questions about Equifax’s timeline are also likely to become central to the crush of lawsuits being filed against the Atlanta-based company. Investigators and consumers alike want to know how a trusted custodian of so many Americans’ private data could let hackers gain access to the most important details of financial identity, including social security and driver’s license numbers, and steal credit card numbers.
Meanwhile, far from keeping the original hack a secret, "in early March Equifax began notifying a small number of outsiders and banking customers that it had suffered a breach and was bringing in a security firm to help investigate. The company’s outside counsel, Atlanta-based law firm King & Spalding, first engaged Mandiant at about that time. While it’s not clear how long the Mandiant and Equifax security teams conducted that probe, one person said there are indications it began to wrap up in May."
The revelation of an earlier breach - and one which comes from the press instead of the company itself - will likely raise questions for the company’s executives over whether that investigation was sufficiently thorough or if it was closed too soon, and also why it wasn't disclosed as part of the Sept. 7 press release.
For example, Equifax has said that the hackers entered the company’s computer banks the second time through a flaw in the company’s web software that was known in March but not patched until the later activity was detected in July.
For now, however, what will get the most scrutiny in light of the new timeline is the stock sales by company insiders: on Aug. 1 and Aug. 2, regulatory filings show that three senior Equifax executives sold shares worth almost $1.8 million, with none of the filings listing the transactions as being part of scheduled 10b5-1 trading plans. Equifax’s Chief Financial Officer John Gamble sold shares worth $946,374; Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099; and Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock.
Equifax has said the executives “had no knowledge that an intrusion had occurred at the time,” and the company spokesperson declined to make them available for comment.
Now, under the new timeline, the insider sales come several months after the March breach but before the public had any knowledge of major security issues at one of the country’s three big credit-reporting agencies. The new timeline is also likely to focus scrutiny on an earlier sale by Gamble of 14,000 shares on May 23. According to a regulatory filing, which didn’t indicate that the sale was part of a scheduled trading plan, the value of that transaction was $1.91 million, more than twice the size of his Aug. 1 disposal of 6,500 shares for $946,374.
Another question is who is behind the hack, and whether these were two separate incidents, or one organized breach:
If the two hacks are unrelated it could be that different hacking teams had different goals. One clue has emerged that suggests one goal of the attackers was to use Equifax as a way into the computers of major banks, according to a fourth person familiar with the matter.
This person said a large Canadian bank has determined that hackers claiming to sell celebrity profiles from Equifax on the dark web -- information that appears to be fraudulent, or recycled from other breaches -- did in fact steal the username and password for an application programming interface, or API, linking the bank’s back-end servers to Equifax.
According to Bloomberg, the discovery suggests that the attackers may have been trying to piggyback off of Equifax’s connections to large banks and other financial institutions as a backdoor way to hack those entities and gain access to sensitive partner systems. The company spokesperson said Equifax is “working diligently with our bank partners to assess and mitigate any impact to their operations.”
Equifax has yet to disclose that March breach to the public.