Equifax reportedly suffered a hack earlier than disclosed

The credit-reporting firm says an "incident" in March was unrelated to the massive hack revealed earlier this month.

Steven Musil Night Editor / News

Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.

Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.

See full bio

Steven Musil

Sept. 18, 2017 5:31 p.m. PT

2 min read

Computer keyboard with security — Equifax confirmed it suffered an "incident" in March that prompted it hire cybersecurity firm Mandiant, a specialist in resolving data breaches.
Getty Images

Equifax, which disclosed earlier this month a massive hack that may have exposed personal information for roughly half the US population, experienced another data breach several months earlier.

The credit rating agency detected a major breach of its computer network in March, according to Bloomberg, nearly five months before cybercrooks stole a treasure trove of financial data from as many as 143 million people in the US. The pilfered data included names, Social Security numbers, birth dates and addresses of customers.

Equifax has said it learned about the latter breach on July 29, but it waited more than a month before revealing it.

On Monday, Equifax confirmed it suffered an "incident" in March that prompted it to hire cybersecurity firm Mandiant, a specialist in resolving data breaches. It said the March incident wasn't related to the massive hack revealed earlier this month.

"Equifax complied fully with all consumer notification requirements related to the March incident," an Equifax spokesperson said in a statement. "The two events are not related."

The company has been under intense scrutiny since the hack was revealed on Sept. 7. A pair of influential US senators have sent a letter to Equifax CEO Rick Smith demanding details about the hack, including information about when authorities and board members were informed of the hack.

They specifically want to know details of nearly $1.8 million in stock sales made by Equifax executives, including the company's chief financial officer, three days after the breach was discovered and several weeks before it was made public.

The US Justice Department has reportedly opened a criminal investigation into the stock sales.

Equifax said last week the hack was made possible by a months-old but apparently unpatched web server vulnerability. Patches were made available for the flaw in mid-March, but it's unclear why the flaw still existed on Equifax's servers in mid-May.

On Friday, the company said Chief Security Officer Susan Mauldin and Chief Information Officer David Webb would be "retiring," effective immediately.

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.

iHate: CNET looks at how intolerance is taking over the internet.