Hackers breached an Equifax payroll-related service in March, months before the company said criminals accessed the personal records of 143 million people.
On Monday, Equifax said the March incident was unrelated to the recently disclosed hack that occurred between May and July 2017.
“The criminal hacking that was discovered on July 29 did not affect the customer databases hosted by the Equifax business unit that was the subject of the March event,” Equifax said in a statement.
Security breach disclosure laws require businesses to disclose hacks if they include personal identifiable information like social security numbers, drivers licenses or state IDs. Equifax says it reported the March incident to customers, affected individuals and regulators.
According to a report from Bloomberg, an insider says the same intruders were involved in both breaches. However, Equifax denies the incidents are related.
Equifax did not provide additional information about the March breach, but journalist Brian Krebs reported that between April 2016 and March 2017, hackers accessed tax records through Equifax subsidiary TALX, a payroll and tax service provider.
Equifax hired cybersecurity firm Mandiant to investigate both the March and July incidents.
“Mandiant has investigated both events and found no evidence that these two separate events or the attackers were related,” Equifax said in a statement.
The vulnerability used to access 143 million records was disclosed in March. Equifax has said it was aware of the vulnerability at the time and took efforts to patch it, however, the hackers used the flaw to steal information months later. The credit reporting agency announced the breach on Sept. 8 and confirmed the breach occurred between mid-May and July.
It is unknown who was responsible for the hack disclosed earlier this month.
The FBI and the Federal Trade Commission are investigating the breach. Two Equifax executives — its chief information officer and chief security officer — retired on Friday.