New evidence raises doubts about executives’ handling of the Equifax breach

Did you know Marcum Technology provides comprehensive Cyber Security services?

Learn More

New evidence calls into question Equifax’s handling of the breach reported last week, which compromised 143 million user details including Social Security numbers, birthdates, and addresses.

Equifax discovered a breach of its computer systems in March, months earlier than it previously admitted to, reports Bloomberg, citing three people with knowledge of the matter. The relationship between the two breaches is unclear, but one source Bloomberg spoke to said the breaches involve the same intruders. Both hacks appear to have exploited the same vulnerability in Apache software that Equifax didn’t fully patch until it was too late.

Two sources also told the newswire that Equifax had hired Mandiant — a firm that helps companies respond to security threats — after the initial breach, but brought them back on July 29th after suspicious activity was detected again. However, an Equifax spokesperson said that hiring Mandiant the first time was unrelated to the July 29th incident. Bloomberg reports that in early March, the company began to notify some customers of a breach. Equifax hasn’t publicly disclosed the March incident.

Equifax was vulnerable because of a critical flaw in the Apache Struts web server software. Apache released a patch for the vulnerability on March 8th. Equifax said it had patched its systems, but later admitted that it was the very same Apache Struts vulnerability that was exploited by the July breach. “While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing,” said the company in a statement released Friday.

The Wall Street Journal found that the type of information reportedly stolen from Equifax in July — including names, addresses, birthdates, and Social Security numbers — was being used by hackers from May to early June in their attempts to infiltrate other large financial organizations. It could not say whether the information came from the March hack.

Continue to article