Hackers accessed Equifax systems months before the credit-reporting agency publicly announced a massive breach that potentially exposed the personal financial data of 143 million Americans, Bloomberg reported Monday, citing people familiar with the matter.
The breach, which Bloomberg said Equifax had not previously disclosed publicly, took place in March. The development could prompt further scrutiny over three company executives who sold nearly $2 million in company stock days after Equifax said it learned of the second breach on July 29. Equifax has said those executives “had no knowledge” of the cyber attack that affected nearly half the US population.
The company publicly announced the second data breach on September 7, saying at the time that hackers had accessed its systems between mid-May and July. Equifax said at the time that criminals had accessed details including names and Social Security numbers. Credit-card numbers for about 209,000 people, as well as certain documents for another 182,000, were also accessed.
Equifax hired the cyber security firm Mandiant to conduct a forensic review of that breach, the same company that reportedly consulted with Equifax after the March attack, Bloomberg said. Bloomberg reported that Equifax notified “a small number of outsiders and banking customers” about the March incident, but had not announced it publicly.
It was not immediately clear whether any personal consumer data was compromised in the March incident, which would have triggered disclosure laws requiring Equifax to notify the public. According to Bloomberg, the credit-monitoring agency said it has complied with notification requirements pertaining to that incident.