KrebsOnSecurity broke the news of the confidential alerts, which suggest that hackers initially breached Equifax in November 2016. In fact, Visa said in a non-public alert sent this week that the “window of exposure” for the cards stolen in the Equifax breach was between November 10, 2016 and July 6, 2017. A similar alert from Mastercard included the same date range.
However, Equifax says the accounts were all stolen at the same time, when hackers gained access to the company’s systems in mid-May 2017.
“The attacker accessed a storage table that contained historical credit card transaction related information,” the company said in a statement to KrebsOnSecurity. “The dates that you provided in your e-mail appear to be the transaction dates. We have found no evidence during our investigation to indicate the presence of card harvesting malware, or access to the table before mid-May 2017.”
Both Visa and Mastercard frequently send alerts to banks issuing cards when specific credit and debit cards may have been compromised in a data breach. Typically, the alerts don’t include the specific company involved in the security issue. In this case, however, Equifax was specifically named as the source of an eCommerce card breach.
“The investigation is ongoing and this information may be amended as new details arise,” Visa said in its confidential alert, linking to the press release Equifax initially posted about the breach on Sept. 7, 2017.
Visa revealed that the data elements stolen in the cyberattack included card account numbers, expiration dates and cardholders’ names – information that can be used to conduct eCommerce fraud at online merchants and perform identity theft.