Slashdot Mirror
Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed (bloomberg.com)
Bloomberg is reporting that Equifax, the credit reporting company that recently reported a cybersecurity incident impacting roughly 143 million U.S. consumers, learned about a breach of its computer systems in March -- almost five months before the date it has publicly disclosed. The company said the March breach was unrelated to the recent hack involving millions of U.S. consumers, but one of the people familiar with the situation said the breaches involve the same intruders. From the report: Equifax hired the security firm Mandiant on both occasions and may have believed it had the initial breach under control, only to have to bring the investigators back when it detected suspicious activity again on July 29, two of the people said. Equifax's hiring of Mandiant the first time was unrelated to the July 29 incident, the company spokesperson said. The revelation of a March breach will complicate the company's efforts to explain a series of unusual stock sales by Equifax executives. If it's shown that those executives did so with the knowledge that either or both breaches could damage the company, they could be vulnerable to charges of insider trading. The U.S. Justice Department has opened a criminal investigation into the stock sales, according to people familiar with the probe.
In early March, they said, Equifax began notifying a small number of outsiders and banking customers that it had suffered a breach and was bringing in a security firm to help investigate. The company's outside counsel, Atlanta-based law firm King & Spalding, first engaged Mandiant at about that time. While it's not clear how long the Mandiant and Equifax security teams conducted that probe, one person said there are indications it began to wrap up in May. Equifax has yet to disclose that March breach to the public.
In early March, they said, Equifax began notifying a small number of outsiders and banking customers that it had suffered a breach and was bringing in a security firm to help investigate. The company's outside counsel, Atlanta-based law firm King & Spalding, first engaged Mandiant at about that time. While it's not clear how long the Mandiant and Equifax security teams conducted that probe, one person said there are indications it began to wrap up in May. Equifax has yet to disclose that March breach to the public.
By an interesting coincidence, I ended finally applying for a credit card (after many years of debit card only) - and American Express wanted me to fill out a form that would have the US treasury make all of my tax records available to Equifax. I looked into it a bit more and apparently American Express has this rather heavy handed tactic of picking some of their customers more or less at random, suspending all their accounts, and then holding the accounts hostage until the customers agree to have the treasury release their tax forms to Equifax. In a perfect world, American Express would face some consequences for forcing their customers to give all kinds of detailed and unnecessary financial information to a firm as incompetent and malicious as Equifax.
You hire a security firm and at the same time you don't bother to update critical security issue with the software? Did they have an audit or did they just pay $$ for a PCI compliance sticker? How did the audit go - how come it not revealed issues with too much data being accessible from public subnet? just too many questions....