As the feds investigate whether the Equifax breach that exposed data of up to 143 million Americans resulted in insider trading, the company has a new problem. Three sources tell Bloomberg that although Equifax learned of the intrusion in late July, the company knew of another breach as early as March, and one source says the same hackers were responsible (Equifax says the two breaches aren't related). Equifax reportedly hired security firm Mandiant to handle the first breach, then brought Mandiant back when the second breach was found. Equifax says the breach it found in July, which was revealed to the public on Sept. 7, happened in mid-May, per Mandiant investigators. As for the March breach to a business-services unit, "the incident was reported to customers, affected individuals, and regulators," Equifax says, per CBS News.
Security experts tell Bloomberg the March breach may not have been publicized because, if an inquiry found that data wasn't accessed, disclosure laws may not have required it. One source says it appears the investigation was completed in May—right around the time the second hack is said to have taken place. How thorough that initial probe was, and how well Equifax protected against future breaches in its wake, will now likely be examined. Bloomberg notes this new development could worsen matters for the three execs who dumped Equifax shares, especially if it's determined they did so with knowledge that either breach could hurt the company. The revelation could also serve as new ammunition for the multiple lawsuits filed against Equifax on the first breach, which exposed information such as consumers' Social Security and driver's license numbers. (Read more Equifax stories.)