Equifax Data Breach: Company Reveals Another Undisclosed Cyberattack

ATLANTA, GA — The credit-monitoring firm Equifax faced a deluge of criticism after it announced that it experienced massive data breach exposing sensitive information of 143 million Americans earlier this month. Now, it seems the problem may be even worse than the public was initially led to believe, and the company's legal troubles continue to mount.

The newest twist in the unfurling saga was revealed when Equifax announced it had a security breach earlier this year that involved a different part of the company than the one accessed in the larger hack.

(For local Atlanta news, subscribe for free to the Atlanta Patch to receive daily newsletters and breaking news alerts. For more national stories, subscribe to the Across America Patch.)

The breach involved TALX, which is Equifax's human resources and payroll service. The company said there's no evidence that the TALX breach, which happened between March and April this year, and the wider breach are related.

Read more: Equifax Announces Massive Data Breach Affecting 143 Million Americans

The TALX breach, which at the time was relatively minor, is likely to attract additional scrutiny.

Three executives at Equifax were found to have sold stock in the days leading up to the time when Equifax disclosed the more serious breach. Equifax says the three executives, which includes the company's second-highest ranking employee, its chief financial officer, were unaware of the bigger breach when they sold their sharee.

Equifax hired the same cybersecurity company, Mandiant, to handle both breach investigations.

Massachusetts Attorney General Maura Healey sued Equifax on Tuesday, making it the first state to take direct legal action against the company following the breach. Its lawyers say that Equifax's negligence exposed more than half the state's adult population to the breach, and the company was negligent in dealing with security threats, including the software vulnerability that has become the center of the investigation.

Attorney General Healey is seeking unspecified civil penalties, restitution and damages for the impacted residents.

New York Attorney General Eric Schneiderman is questioning two other credit-monitoring companies, TransUnion and Experian, about what precautions they have taken to protect sensitive consumer information. In letters to company executives, the Democratic attorney general asked them to describe their existing security systems, as well as what changes they've made since the Equifax hack.

The breach, he wrote, "has raised serious concerns about the security of private consumer information held by the nation's largest consumer credit reporting agencies." The letters also ask whether the companies are considering waiving the fees for consumer credit freezes. The costs of those vary by state.

Equifax's CEO has been called to testify before Congress on Oct. 3, and the company announced last week that its chief information officer and chief security officer would be leaving the company immediately. It also has bulked up its call centers and is waiving fees for credit freezes.

The credit data company also released a detailed, if still muddled, timeline of how it discovered and handled the breach.

Equifax's stock has fallen more than a third since the scandal broke.

Consumers should be vigilant and diligent. That means:

• Closely monitoring their credit reports, which are available free once a year, and stagger them to see one every four months.
• Keeping watch, possibly for a long time. Scammers who get ahold of the data could use it at any time — and with 143 million to choose from, they may be patient.
• Considering freezing your credit reports. That stops thieves from opening new credit cards or loans in your name, but it also prevents you from opening new accounts. So if you want to apply for something, you need to lift the freeze a few days beforehand.

By KEN SWEET, AP Business Writer

AP Photo/Mike Stewart