When Equifax first disclosed the shocking news on September 7 that its servers and some 143 million private account had been hacked, leaking everything from names, to addresses, to social security numbers, it stated in its press release that it had "learned of the incident on July 29, 2017" adding that "at which point it reported the intrusion to law enforcement and contracted a cybersecurity firm to conduct a forensic review: based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017."
As we commented then, it "oddly enough took shareholders and over a third of America, more than a month longer to learn that all their personal data may have been compromised."
And now, according to Bloomberg, it appears the company had lied again as it wasn't "only one month" but nearly six that the company was aware that its systems had been violated without acting on the information::
While the March breach was reportedly not related to the hack that exposed the personal and financial data on 143 million U.S. consumers, "one of the people said the breaches involve the same intruders. Either way, the revelation that the 118-year-old credit-reporting agency suffered two major incidents in the span of a few months adds to a mounting crisis at the company, which is the subject of multiple investigations and announced the retirement of two of its top security executives on Friday." That one of the top security executives also happened to be a music major who desperately tried to scrub her public background has not helped the company's case.
Some further details from Bloomberg:
Equifax’s hiring of Mandiant the first time was unrelated to the July 29 incident, the company spokesperson said. Vitor De Souza, senior vice president for global marketing at FireEye Inc., Mandiant’s parent company, declined to comment.
As Bloomberg hedges, "there’s no evidence that the publicly disclosed chronology is inaccurate, but it leaves out a set of key events that began earlier this spring, the people familiar with the probe said."
In any even, while the company's lawyers are surely looking for just the right explanation to justify sitting on news of cyberbreach for months before it was too late, the revelation of the March hack will complicate the company’s efforts to explain a series of unusual stock sales by Equifax executives.
As reported earlier, the U.S. Justice Department has opened a criminal investigation into the stock sales, according to people familiar with the probe. As a reminder, Equifax originally disclosed that it discovered the security breach on July 29, and shortly after - in early August - the three executives sold shares worth almost $1.8 million.
The company has said the managers didn’t know of the breach at the time they sold the shares, although in light of the latest news that appears rather inconceivable.
Insider trading charges aside, there is the question of all those piling lawsuits:
Meanwhile, far from keeping the original hack a secret, "in early March Equifax began notifying a small number of outsiders and banking customers that it had suffered a breach and was bringing in a security firm to help investigate. The company’s outside counsel, Atlanta-based law firm King & Spalding, first engaged Mandiant at about that time. While it’s not clear how long the Mandiant and Equifax security teams conducted that probe, one person said there are indications it began to wrap up in May."
The revelation of an earlier breach - and one which comes from the press instead of the company itself - will likely raise questions for the company’s executives over whether that investigation was sufficiently thorough or if it was closed too soon, and also why it wasn't disclosed as part of the Sept. 7 press release.
For now, however, what will get the most
scrutiny in light of the new timeline is the stock sales by company insiders: on Aug. 1 and Aug. 2, regulatory
filings show that three senior Equifax executives sold shares worth
almost $1.8 million, with none of the filings listing the transactions
as being part of scheduled 10b5-1 trading plans. Equifax’s Chief
Financial Officer John Gamble sold shares worth $946,374; Joseph
Loughran, president of U.S. information solutions, exercised options to
dispose of stock worth $584,099; and Rodolfo Ploder, president of
workforce solutions, sold $250,458 of stock.
Now, under the new timeline, the insider sales come several months after the March breach but before the public had any knowledge of major security issues at one of the country’s three big credit-reporting agencies. The new timeline is also likely to focus scrutiny on an earlier sale by Gamble of 14,000 shares on May 23. According to a regulatory filing, which didn’t indicate that the sale was part of a scheduled trading plan, the value of that transaction was $1.91 million, more than twice the size of his Aug. 1 disposal of 6,500 shares for $946,374.
Another question is who is behind the hack, and whether these were two separate incidents, or one organized breach:
This person said a large Canadian bank has determined that hackers claiming to sell celebrity profiles from Equifax on the dark web -- information that appears to be fraudulent, or recycled from other breaches -- did in fact steal the username and password for an application programming interface, or API, linking the bank’s back-end servers to Equifax.
According to Bloomberg, the discovery suggests that the attackers may have been trying to piggyback off of Equifax’s connections to large banks and other financial institutions as a backdoor way to hack those entities and gain access to sensitive partner systems. The company spokesperson said Equifax is “working diligently with our bank partners to assess and mitigate any impact to their operations.”
Equifax has yet to disclose that March breach to the public.
Source