Close-up of the upper corner of a consumer credit report from the credit bureau Equifax, with text reading Credit File and Personal Identification, on a light wooden surface, September 11, 2017. In September of 2017, a data breach at Equifax exposed the personal information of thousands of customers. (Photo via Smith Collection/Gado/Getty Images).
Shelby Lin Erdman, Cox Media Group National Content Desk
Equifax was hacked almost five months before the Atlanta-based company publicly disclosed the breach that may have compromised the personal data, including social security numbers and credit card information, of 143 million Americans, according to Bloomberg.
The credit reporting agency learned about the breach five months earlier in March, Bloomberg reported, citing three sources familiar with the hack, but in a statement, the company denied that the computer breaches were related.
One of Bloomberg’s sources said that both hacks involved the same perpetrators.
According to Reuters, Equifax released a statement maintaining that the two events were not related:
"Earlier this year, during the 2016 tax season, Equifax experienced a security incident involving a payroll-related service. The incident was reported to customers, affected individuals and regulators. This incident was also covered in the media. The March event reported by Bloomberg is not related to the criminal hacking that was discovered on July 29. Mandiant has investigated both events and found no evidence that these two separate events or the attackers were related. The criminal hacking that was discovered on July 29 did not affect the customer databases hosted by the Equifax business unit that was the subject of the March event.”
Equifax is now at the center of several investigations into how the breach occurred and what took so long to disclose it.
The company first reported the enormous breach of personal data last Thursday when it said a “cyber security incident” may have exposed millions of Americans’ personal information.
Equifax said the unauthorized access to the information occurred between mid-May and July, and was discovered by the company on July 29. It has since hired an outside cybersecurity firm to investigate.