After the revelation that a cybersecurity breach at the international credit reporting agency Equifax exposed personal information of 143 million people, the company has confirmed an additional security incident with a payroll-related service in the months prior. It says the two are unrelated.
Equifax is already struggling to regain public trust after it waited at least a month to disclose to consumers that the cyberattack potentially impacted their personal information, such as names, Social Security numbers, birth dates, addresses and, in some cases, driver's license numbers and credit card information.
"Earlier this year, during the 2016 tax season, Equifax experienced a security incident involving a payroll-related service," an Equifax spokesperson told NPR. "The incident was reported to customers, affected individuals and regulators. This incident was also covered in the media."
The company spokesperson disputes a Bloomberg report released Monday, where an unnamed source "said the breaches involved the same intruders." The company adds that the same security company, Mandiant, "has investigated both events and found no evidence that these two separate events or the attackers were related."
Equifax's spokesperson characterizes this second breach as the "March event." However, it appears that the incident in question may have lasted considerably longer than a single month. When asked for information about previous media coverage, Equifax pointed NPR to coverage in KrebsonSecurity.
That article describes a breach at TALX Corp., an Equifax subsidiary also called Equifax Workforce Solutions, where "crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering personal questions about those employees."
Krebs reported that Equifax said the breach happened over the course of nearly a year: "unauthorized access to customers' employee tax records happened between April 17, 2016 and March 29, 2017."
Equifax did not immediately confirm these details. It's not clear how many organizations were affected, though Krebs links to documentation of breaches at five organizations, including Northrop Grumman and the University of Louisville.
According to The Louisville Cardinal, the University of Louisville's student paper, the university stated that some "750 employees had 'suspicious activity' surrounding their online TALX Tax Express accounts when someone tried to reset PIN numbers."
Other reports date back to early 2016. A notice of data breach from Kroger executives states that the incident began in late January of that year. In a document released by New Hampshire's attorney general, the Kroger executives say that hackers "accessed the default website using default login information based on Social Security Numbers and dates of birth, which we believe were obtained from some other source."
The thieves then used the access to employees' W-2 forms to potentially "file tax returns in their names to claim a refund."
A Georgia man employed at Kroger filed a federal lawsuit against Equifax and its subsidiary in May 2016 over the breach, seeking class action status. In it, Betzalel Yochanan claimed that the breach happened "because Equifax failed to implement adequate security measures to safeguard consumers' Personal Identifying Information ('PII') and willfully ignored known weaknesses in its data security, including prior hacks into its information systems."
Yochanan voluntarily dismissed the lawsuit the following month, without providing a reason.
NPR's Sarah Knight contributed to this report.