Earlier Equifax breach was no secret

Earlier Equifax breach was no secret
© Getty Images

A Bloomberg story claiming that Equifax did not notify the public of a breach in March appears to be inaccurate about one of its central tenets. The breach was widely reported in security-related media and the company contacted both affected users and the government.

The March breach occurred months before the recently announced breach that may have impacted as many as 143 million Americans.

Bloomberg's story claimed "Equifax has yet to disclose that March breach to the public," suggesting the nondisclosure would "complicate the company’s efforts to explain a series of unusual stock sales by Equifax executives," leaving them "vulnerable to charges of insider trading." 

In fact, not notifying the public about an earlier breach that retrieved personal information would also run afoul of several state breach notification laws. Equifax, however, appears to have complied with those laws.

ADVERTISEMENT
The breach referred to in the Bloomberg story appears to be one at the Equifax subsidiary TALX. In May, several security publications, including widely read reporter Brian Krebs and blogger Graham Cluley reported on the breach. 

Those reports were based on the breach notifications sent to the people affected by the breach. 

The company sent a letter to the Attorney General of New Jersey describing the breach, which the state's Department of Justice posted to its website.

The TALX breach targeted employee W2 files, which fraudsters often use for tax refund scams. 

An investigation into the more recent hack found no connections between the TALX hack and the recently announced Equifax hack. 

The more recent hack, discovered on July 29 and announced a few weeks later, gave hackers access to personal information including social security numbers for as many as 143 million Americans. 

"The March event reported by Bloomberg is not related to the criminal hacking that was discovered on July 29. Mandiant has investigated both events and found no evidence that these two separate events or the attackers were related," wrote Equifax in a statement to The Hill.  

"The criminal hacking that was discovered on July 29 did not affect the customer databases hosted by the Equifax business unit that was the subject of the March event."

Large stock trades made by three Equifax senior executives in between the July discovery of the breach and the August public announcement have raised the specter of insider trading. The company claims that those executives were unaware of the breach at the time of the trades.