Equifax Got Hacked Back in March, but You Probably Never Heard About it

man checking credit card info on smartphone
mixetto/Getty Images

Consumers were surprised when Equifax announced a large-scale hack to the public in September, despite having learned of the breach way back on July 29. The hack exposed a security gap that led to the theft of 143 million consumers’ financial information. Investigators later learned the hackers accessed data as far back as mid-May.

Now, new details have emerged that show Equifax was hacked in an unrelated attack back in March.

A spokesperson from Equifax said of the first breach in a statement: “Earlier this year, during the 2016 tax season, Equifax experienced a security incident involving a payroll-related service. The incident was reported to customers, affected individuals and regulators. This incident was also covered in the media. The March event reported by Bloomberg is not related to the criminal hacking that was discovered on July 29.”

The spokesperson said that Mandiant hasn’t found any evidence connecting the two breaches. The earlier breach affected payroll product TALX, an Equifax subsidiary, and was primarily reported on by security writers Brian Krebs and Graham Cluley based on notifications obtained from affected customers.

Bloomberg reported that the initial breach in March 2017 led the credit bureau to hire a security firm to investigate. That initial investigation by security firm Mandiant concluded in May, according to Bloomberg.

The second breach exposed birthdates, Social Security numbers and credit card numbers. It affected around 40% of American consumers and took place between May and July 2017.

Mandiant also investigated the second breach, which Equifax announced Sept. 7.

“Equifax’s internal investigation of this incident is still ongoing and the company continues to work closely with the FBI in its investigation,” an update on Equifax’s security site says of the more recent hack.

Well, Now the Government’s Looking at the Equifax Hack

On Sept. 15, Equifax announced that its chief information officer and chief security officer were retiring.

Bloomberg notes that the stock sale by three Equifax executives in early August may be examined further as new details about the beach’s timeline emerge. The sold shares were worth more than $1.8 million combined. Another similar transaction took place in May, according to Bloomberg. The U.S. Department of Justice is investigating those transactions for insider trading conflicts.

We All Have Trust Issues, Right?

Whether you were impacted by this summer’s Equifax hack or not — we show you how to find out if you were affected — it can feel like each new day brings a new challenge for U.S. financial institutions. Start adding them up, and a culture of distrust can develop. Earlier this year, Equifax was forced to pay $3.8 million for various violations, including serving customers ads while they viewed their free annual credit reports.

The latest security breach and rumors of insider trading don’t help the Equifax brand one bit, especially after consumers have complained about how difficult it is to get breach-related assistance.

“What makes the situation especially awful is that you never had much choice about entering into a relationship with Equifax,” Pat Regainer and Suzanne Woodley wrote in Bloomberg Businessweek.

You choose a bank, a mortgage company and a credit card brand, but you never choose to be listed in the three credit bureaus, they explain. You can either live off the financial grid or be a part of this mess. There is no middle ground.

Add in millennial skepticism — they don’t trust much of anyone in the financial world — and you have a more complicated reputation quandary than anyone may have predicted.

Lisa Rowan is a writer and producer at The Penny Hoarder.