Hackers accessed Equifax systems in March in a separate intrusion from the July breach the credit-reporting agency publicly announced earlier this month, Bloomberg reported Monday, citing people familiar with the matter.
The development could prompt further scrutiny over three company executives who sold nearly $2 million in company stock shortly after July 29, when Equifax said it learned of the second breach. Equifax has said those executives “had no knowledge” of that cyberattack, which potentially exposed the personal financial data of 143 million Americans.
The company publicly announced the second data breach on September 7, saying at the time that hackers had accessed its systems between mid-May and July. Equifax said at the time that criminals had accessed details including names and Social Security numbers. Credit-card numbers for about 209,000 people, as well as certain documents for another 182,000, were also accessed.
Equifax hired the cybersecurity firm Mandiant to conduct a forensic review after both breaches, Bloomberg said, adding that Equifax had notified “a small number of outsiders and banking customers” about the March incident but had not announced it publicly.
It was not immediately clear whether any personal consumer data was compromised in the March incident, which would have triggered disclosure laws requiring Equifax to notify the public. According to Bloomberg, the credit-monitoring agency said it had complied with notification requirements pertaining to that incident.