Equifax is disputing a report that it suffered an undisclosed data breach in March, separate from and predating the massive breach that exposed personal details for 143 million U.S. consumers.
Citing three anonymous sources, Bloomberg on Monday reported that Equifax did not publicly disclose the March breach. The report does not describe what kind of information was exposed or how many people were allegedly affected.
But one source told Bloomberg that investigators believe that the same group of attackers that struck Equifax in March returned to hack the data broker again, beginning in May. Equifax disclosed that latter attack on Sept. 7.
After the March breach, Equifax notified "a small number of outsiders" and some of its banking customers, Bloomberg reports. The credit reporting agency's law firm, King & Partners of Atlanta, also retained FireEye's Mandiant digital forensics consulting branch, on which it called again on Aug. 2 to investigate the later breach, according to Bloomberg.
Equifax tells Information Security Media Group in a statement that the Bloomberg story is "attempting to connect two separate cybersecurity events and suggesting the earlier event went unreported."
Instead, Equifax says the breach described by Bloomberg was a "security incident involving a payroll-related service." The incident, which Equifax refers to as the "March event," was reported to customers, affected individuals and regulators, as well as covered by the media, it says. "Mandiant has investigated both events and found no evidence that these two separate events or the attackers were related."
Equifax appears to be referring to unauthorized access to data held by TALX, pronounced "talks," which is its payroll, HR and tax services subsidiary that is formally known as Equifax Workforce Solutions. ISMG asked Equifax if it was indeed referring to TALX, but officials did not immediately respond. Bloomberg does not mention TALX or Equifax Workforce Solutions in its report.
In early March, Equifax began notifying individuals whose employers use TALX for payroll services that it had detected unauthorized access to its web-based portal.
Employees use the TALX portal to access their W-2, which is the annual income reporting form that U.S. employees need to file their federal tax return. That's also a key document for fraudsters, because it puts them one step closer to being able to fraudulently file and claim a tax refund in someone else's name.
In the March attack, hackers had luck accessing TALX accounts by guessing registered users' personal questions, according to Equifax's breach notifications. By answering the questions correctly, fraudsters were able to reset a PIN needed to access an account. With the fresh PIN, they were able to obtain an electronic copy of victims' W-2. The unauthorized access incidents occurred between April 17, 2016, and March 29, 2017, Equifax says.
After the breach, Equifax notified victims as well as attorneys general - in states requiring such notificaitons - including Maryland and New Hampshire, which published breach notifications about TALX. The breach received modest press coverage, including by cybersecurity blogger Brian Krebs.
Later, Massive Breach
If Bloomberg's report is accurate, however, it will further complicate matters for Equifax, which holds vast troves of financial data for consumers worldwide. Equifax is facing an array of worldwide probes, lawsuits and regulator scrutiny after it disclosed, on Sept. 7, that it suffered a massive breach that affects U.S., U.K. and Canadian consumers (see Top Democrat Likens Equifax to Enron as FTC Launches Probe).
The personal details of 143 million U.S. consumers were exposed after hackers exploited a known vulnerability in the Apache Struts web application framework used by Equifax to manage credit-related disputes filed by consumers. Equifax says information was exposed between May 13 and July 30, when its security team blocked the breach (see More Questions Raised After Equifax CIO, CSO 'Retire').
For U.S. consumers, the details include names, addresses, Social Security numbers and sometimes driver's license numbers. Also exposed were the credit card numbers for 209,000 consumers and additional personal information relating to credit disputes for 182,000 people.
In a statement released earlier this week, Equifax said that about 400,000 U.K. consumers were affected, and that exposed information included their names, birthdates, email addresses and phone numbers. The U.K. consumer data ended up in the U.S. due to a "process failure" that led to a limited amount of the British data being stored in the U.S. between 2011 and 2016, at which point Equifax says it fixed the problem.
An unknown number of Canadians were also affected by the breach discovered in late July. On its Canadian website, as of Tuesday morning, Equifax says "only a limited number" of people may be affected but notes that it is still identifying how many. The information exposed includes name, address and Social Insurance number. The company has promised to release more information soon.
One further potential wrinkle from Bloomberg's report is that the Equifax breach discovered in March may have been attackers attempting to use Equifax as a stepping stone for hacking into major bank' systems, according a single, anonymous source cited by Bloomberg. Equifax supplies data on consumer creditworthiness to lenders.
A large, unnamed bank in Canada discovered that hackers stole the username and password for an API that links the bank's systems with Equifax, the source told Bloomberg. The hackers are also selling supposed celebrity profiles stolen from Equifax on darknet sites, but the source says the information appears to either be fraudulent or compiled from other breaches.
Bloomberg says it also reviewed an internal memo from the bank, dated Sept. 14, which noted that the bank's wealth and management division had linked a test and development site to Equifax in order to share information.