Equifax, the credit-reporting agency that was hacked in July, hasn’t been very upfront recently, and the situation is getting worse.
According to a report from Bloomberg, Equifax learned about a major breach of its computer systems in March 2017, about five months before the date it publicly disclosed. The company says the March breach wasn’t related to the July hack, which exposed the personal and financial data of 143 million U.S. consumers, though it does involve the same intruders.
Equifax hired security firm Mandiant on both occasions, though it’s possible the credit agency believed it had the first breach under control. In early March, Equifax began notifying a small number of banking customers that it had suffered a breach and would hire a security firm to help with the investigation.
Why were they silent? According to security experts, one possible reason for not disclosing the breach is that the investigation never uncovered evidence that any data was accessed. Once there’s evidence that personal information was breached, that’s when data breach laws start to kick in. So technically, Equifax may not have been required to tell the public.
Losing trust: This is certainly not a good look for the company. Looking past the fact that the data breaches happened in the first place, not being honest to the public about the hack from March is really bad for the company’s image. It’s going to take Equifax a very long time to get back on the public’s good side.
Now the Justice Department is involved: The United States Justice Department has opened up a criminal investigation into the unusual selling of stocks by Equifax executives just days after the second hack in July. These executives might be vulnerable to charges of insider trading. This March hack will make things even worse for the company.
The scandal is far from over.