A security researcher claims to have warned Equifax of major vulnerabilities to its computer systems last December. If true, this contradicts the company’s claim to have only learned about the problems this spring—and provides more evidence Equifax could have prevented a catastrophic data breach that affected at least 145 million Americans.
The new allegations, reported by a security reporter at tech news site Motherboard, say the unnamed researcher scanned servers and public-facing websites, and discovered it was easy to access troves of personal data of Equifax customers.
In at least one case, a website that appeared to be an internal employee portal for looking up customer information could be accessed by anyone on the Internet. Overall, the security vulnerabilities appeared to have offered easy access to a staggering amount of sensitive data:
[T]he researcher couldn’t believe what they had found. One particular website allowed them to access the personal data of every American, including social security numbers, full names, birthdates, and city and state of residence
The researcher, who asked for anonymity out of “professional concerns,” claims to have told Equifax about the vulnerabilities immediately after discovering them, and urged it to take down exposed websites, but says the company failed to act.
These allegations, if accurate, reinforce indications that Equifax—which has a significant business selling data protection tools—was shockingly negligent and incompetent when it came to security. Earlier accounts of the breach have already indicated that hackers got in because the company failed to update its software, which should be standard practice for any corporation, and especially for those who handle sensitive consumer data.
Get Data Sheet, Fortune’s technology newsletter.
As Motherboard notes, all of this also suggests that the gaping security holes could have been exploited repeated by multiple hackers.
“If it took me three hours to find that website, I definitely think I’m not the only one who found it. It wasn’t just one breach. It was maybe dozens,” the researcher claimed.
Equifax has yet to provide a public response to the new allegations, beyond saying the company doesn’t comment on “internal security operations.”
Equifax is currently facing dozens of lawsuits over the data breach from consumer class action attorneys and from state and city governments. The new allegations are likely to provide the plaintiffs with new ammunition to obtain damages. As Fortune has reported, the Equifax hacking incident is likely to differ from earlier mass data breaches in that the company could pay out real money to the consumers affected.
