Equifax suffered yet another major hack in March this year, several months before the July breach that the credit firm publicly disclosed on 7 September. Earlier this month, Equifax confirmed it was hit with a major cyberattack in July that saw the theft of a trove of valuable data from about 143 million American consumers.
Bloomberg reported on Monday that the company suffered yet another, unrelated attack earlier this year that may have involved the same intruders. Equifax brought in FireEye-owned Mandiant to help investigate the first incident in March and did the same after it discovered the second attack during the summer.
Equifax acknowledged that it did face a "security incident" in March that is separate from the recently disclosed breach that triggered fierce criticism and intense scrutiny from users, lawmakers and law enforcement. However, it said it "complied fully with all consumer notification requirements" related to the March breach.
"Earlier this year, during the 2016 tax season, Equifax experienced a security incident involving a payroll-related service. The incident was reported to customers, affected individuals and regulators. This incident was also covered in the media," Equinox said in a statement, Fortune reports. "The March event reported by Bloomberg is not related to the criminal hacking that was discovered on July 29.
"Mandiant has investigated both events and found no evidence that these two separate events or the attackers were related. The criminal hacking that was discovered on July 29 did not affect the customer databases hosted by the Equifax business unit that was the subject of the March event."
The company did not disclose any specific details regarding the extent of the March breach.
Equifax's recent disclosure of the July hack has dominated headlines over the past few weeks due to the value of the customers' data accessed in the attack.
The compromised data included customers' names, Social Security numbers, dates of birth, addresses and driver's licenses. The credit card numbers of about 209,000 people and certain dispute documents with personal identifying information of 182,000 were also compromised in the hack. Attackers also managed to access "limited personal information" of certain UK and Canadian residents as well, the firm confirmed.
Equifax said hackers exploited a months-old Apache Struts server vulnerability to carry out the attack – a patch for which was made available in March, more than a month before the breach took place from 13 May through 30 July.
US lawmakers have demanded Equifax release specific details regarding the circumstances surrounding the breach including the timeline, when authorities and board members were informed of the hack and the company's decision to delay public disclosure of the attack for over a month. They have also sought information about the Equifax executives who sold nearly $1.8m (£1.36m) in stock just days after the firm discovered the hack, but weeks before it was made public.
Equifax has since been hit with at least 30 lawsuits and is being investigated by multiple states, US Congress and the FBI. The US Justice Department has also reportedly launched a criminal investigation into the stock sales as well.
Last week, the company announced that its Chief Security Officer Susan Mauldin and Chief Information Officer David Webb would be retiring, effective immediately. Mauldin, who earned a bachelor's degree and Master of Fine Arts in music from the University of Georgia, has also come under scrutiny over the relation of her educational background to cybersecurity.