Things somehow keep getting worse for Equifax

The credit agency had been hacked in March, in a separate breach.
Author:
Publish date:
Image placeholder title

What's the next level below dumpster fire? Maybe landfill blaze. Or Great Pacific garbage patch twister.

Whatever term you prefer, that's what Equifax has dropped to after last week's dumpster fire description.

Already taking heat for leaving the private data of 143 million Americans accessible to hackers, Equifax is now facing questions about a previous data breach it suffered earlier in 2017.

This comes from Bloomberg, which was told by sources that Equifax's systems were breached in March – an incident that the company didn't make public, despite telling some banking customers and a few others outsiders, according to the report.

Equifax in a statement to The Guardian confirmed the March hack, saying it related to a payroll service. The company also said a third-party review found that hack is not related to the large one that's recently been in the news, and didn't affect those customer databases. 

Cybersecurity expert Brian Krebs reported the March breach affected tax records. According to CNN, Equifax says it notified affected consumers and other parties about the possible impact.

All told, it means Equifax – which, as one of the three big credit reporting agencies, stores the personal data of millions of Americans – was the victim of two hacks in the span of just a few months.

Equifax also hadn't patched a flaw correctly

Also coming out in recent days – the exploit used by hackers to access the information of 143 million Americans over the summer had actually been patched months earlier.

The issue was an exploit in a web application called Apache Struts. Apache fixed that flaw back in March, ZDnet says. Equifax last week acknowledged being aware of the vulnerability at the time, and taking efforts to patch vulnerable systems they knew about.

But Equifax apparently didn't patch this specific application until noticing the suspicious activity on July 29. At that point, the company blocked the communications, and took the web application offline while it installed the proper patch.

"While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing. The company will release additional information when available," the company said.

This breach actually started back in mid-May, but wasn't noticed until late July, and then wasn't revealed publicly until September. 

Two high-level execs have lost their jobs at this point.

The damage so far: names, Social Security numbers, birth dates, addresses and driver’s license numbers of up to 143 million Americans, plus the credit card numbers of 209,000 U.S. consumers. Some documents containing personal identifying information of 182,000 Americans were also accessed, Equifax says.

Oh, and some U.K. and Canadian residents had information out there too.

We'll go with landfill blaze.

Next Up

Related