Credit reporting agency Equifax has confirmed that they suffered a cyberattack prior to the attack that took place in September. It is thought that the hackers have gained access to months’ worth of consumer information. The company is thought to have exposed the information of 143 million people between the two incidents, although it is thought the attacks are not related.
Equifax are struggling to regain public trust after the company chose to wait at least a month before disclosing to their customers that the payroll-related service attack had potentially risked their personal information leaking. The personal information that was a risk includes full names, Social Security numbers, addresses, credit card details and driver’s licence numbers. Security Company Mandiant, who were investigating the breaches, has found to evidence that the two events were linked or caused by the same intruders. The company has insisted that their executives were not aware of the further breaches when selling stock in the company.
The breach at TALX Corp, a subsidiary of Equifax which is often known as Equifax Workforce Solutions, happened when the intruders were able to reset the four digit PIN codes given to customers and the steal W-2 data. Krebson Security are concerned that this breach, which allowed hackers to access employees tax records, could have lasted for over a year. It’s believe unauthorized access was gained between April 17 2016 and March 29 2017, this also includes breaches at five organization including Northrop Grumman.
According to the University of Louisville’s student paper, The Louisville Cardinal, around 750 university employees noticed suspicious activity in their online TALX Tax Express account, this happened when a large amount of PIN numbers were attempted to be reset. Some reports of data breach stem from as far back as early 2016 where Kroger executives noticed that hackers were accessing the website using default login information based on dates of birth and personal details which could only have been sourced illegally elsewhere. There is concern the attackers could be using the W-2 forms to file tax returns in their name before claiming a refund. At least one employee at Kroger has filed a federal lawsuit against Equifax and its subsidiary over this breach of information. Many customers are angry that Equifax has failed to implement the correct security to safeguard their personal information and have wilfully ignored any weaknesses or faults in their software.
Equifax’s former CEO Richard Smith has put all the blame on one employee for the data breach, putting the fault on one single human oversight that meant they failed to correct a weak security patch within their system. Smith has reassured customers that the company had invested $250 in cybersecurity over the last three years and that his teams were working on the emergency response time. The company also blamed a known flaw in the Apache software packaged for the breach, despite the issue being apparently discovered and fixed in March. Two executives; the chief information officer and the chief security officers, have left the company since the breach was exposed.