Equifax, the credit monitoring agency that lost personal data of 143 million US customers in a massive hack in May, has revealed that it was also the victim of an earlier breach in March.

The earlier breach was serious enough for the company to notify customers, and bring in the information security firm Mandiant to investigate. But the millions of Americans whose personal data the company stockpiles to power its services are not technically customers of the company, and so it did not inform them.

Following a report by Bloomberg, Equifax came clean about the breach in a statement. “Earlier this year, during the 2016 tax season, Equifax experienced a security incident involving a payroll-related service. The incident was reported to customers, affected individuals and regulators. This incident was also covered in the media.”

Interesting. I don't remember reading about an earlier hack, cause I figure something like that would get my attention and the attention of a few others on Hubski. Enough that someone would make a post.

In the letter, the company revealed that the attackers “gained access to the accounts primarily by successfully answering personal questions about the affected employees in order to reset the employees’ pins”. As a result, it was unable to even work out how much fraudulent access occurred, since the logins looked legitimate for its system.

Also, at this point it seems like it doesn't matter how good your security protocols are. The human element always seems to throw a monkey wrench into things.