- Equifax suffered an additional data breach in March, which the company said was not related to the security incident disclosed earlier this month impacting 143 million U.S. consumers, according to a Bloomberg report.
- In the March incident, which occurred five months before the second breach was discovered, Equifax notified a small number of impacted individuals, including banking customers, Bloomberg reports. Equifax's outside counsel brought in Mandiant to investigate the breach.
- "The retention of Mandiant in March was unrelated to the July 29 cybersecurity incident. Equifax complied fully with all consumer notification requirements related to the March incident," the firm said in a statement received by CNBC. Equifax could not be reached by CIO Dive prior to publication.
The revelations of the earlier breach could call into question Equifax's disclosed timeline. Last week, the firm outlined in a public statement the timeline of the breach impacting 143 million U.S. consumers. Equifax said its security team first noticed the breach on July 29, but made no mention of an earlier security incident.
The March security incident occurred nearly five months before the recently disclosed data breach. The firms said the two incidents were not tied together, but it raises doubt around the firm's cybersecurity practices.
Some companies limit scope of an outside firm's investigation — in this case, FireEye-owned Mandiant was contracted to look into both security incidents — following an initial breach, a thorough, system-wide investigation would have helped ensure Equifax understood its overall security posture.
Following the recent retirement of the Equifax's CIO and CSO, the company's interim technology heads will have to work to mitigate any issues with back-end systems and make sure its technology is prepared to withstand further security incidents.
Equifax is facing numerous consumer lawsuits in addition to a U.S. Justice Department probe into top company officials' sale of stock just prior to the breach disclosure earlier this month. Widely criticized by the security community for how it handled the breach, Equifax is receiving a lesson in how to respond to a security incident.
In the modern era of computing, it's not a case of "if," but "when" a company will be targeted and potentially hacked. To save an organization's reputation, companies have to respond quickly and remain transparent throughout the entire investigation and breach recovery process.