Equifax said a breach it discovered in March was not related to the second, massive breach the company disclosed in September though the hackers were reportedly the same, according to sources who spoke with Bloomberg, and the same vulnerability in Apache Struts was exploited in both incidents.
"Equifax complied fully with all consumer notification requirements related to the March incident," according to a company statement. "The two events are not related."
The motive behind the breach discovered in March may have been entre into banking and financial institution networks, Bloomberg reported, noting that the Equifax called in Mandiant to investigate in both instances.
The later breach has already cost the company its CSO and CIO, who announced their retirement plans last week; drawn the scrutiny of financial regulators and has Congress questioning the company's security practices and the sell-off of stock by three Equifax executives just three days after the mega breach was discovered in July but more than a month before it was revealed publicly; and spawned legislation and regulatory action.
Equifax has been publicly skewered for both its delay in disclosing the massive breach that exposed the personal data of 143 million American consumers and patching the vulnerability in Apache Struts that was fixed in March.