New evidence calls into question Equifax’s handling of the breach reported last week, which compromised 143 million user details including Social Security numbers, birthdates, and addresses.
Equifax discovered a breach of its computer systems in March, months earlier than it previously admitted to, reports Bloomberg, citing three people with knowledge of the matter. The relationship between the two breaches is unclear, but one source Bloomberg spoke to said the breaches involve the same intruders. Both hacks appear to have exploited the same vulnerability in Apache software that Equifax didn’t fully patch until it was too late.
Two sources also told the newswire that Equifax had hired Mandiant — a firm that helps companies respond to security threats — after the initial breach, but brought them back on July 29th after suspicious activity was detected again. However, an Equifax spokesperson said that hiring Mandiant the first time was unrelated to the July 29th incident. Bloomberg reports that in early March, the company began to notify some customers of a breach. Equifax hasn’t publicly disclosed the March incident.
Equifax was vulnerable because of a critical flaw in the Apache Struts web server software. Apache released a patch for the vulnerability on March 8th. Equifax said it had patched its systems, but later admitted that it was the very same Apache Struts vulnerability that was exploited by the July breach. “While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing,” said the company in a statement released Friday.
The Wall Street Journal found that the type of information reportedly stolen from Equifax in July — including names, addresses, birthdates, and Social Security numbers — was being used by hackers from May to early June in their attempts to infiltrate other large financial organizations. It could not say whether the information came from the March hack.
Alex Holden, chief information security officer of Hold Security, told the WSJ that Equifax has long been considered a target for identity thieves. Hold said a discovery last week showed Equifax’s employee portal in Argentina could be accessed by using the username and password of admin/admin.
Adding to Equifax’s mountain of troubles, the US justice department has opened a criminal investigation into the sales of the company’s stocks, sources familiar with the matter told Bloomberg. Three senior Equifax executives sold shares worth a total of $1.8 million on August 1st and 2nd, a few days after the discovery of the breach on July 29th. Two sources told Bloomberg that investigators are looking into the sales by chief financial officer John Gamble, president of US information solutions Joseph Loughran, and president of workforce solutions Rodolfo Ploder. Equifax says the executives had no knowledge that an intrusion had occurred when the transactions were made.
Two of Equifax’s security executives announced their retirement last week, while several class action lawsuits have also been filed against the company. US prosecutors and the FBI are investigating the breach and theft of personal data. A person familiar with the investigation told the WSJ that the scale of the breach, sophistication of the hack, and nature of the stolen data all point toward a state-sponsored actor, though there’s no public evidence to that effect.