The US Department of Justice (DoJ) has charged four members of China’s military in relation to the 2017 Equifax hack, which saw the data of more than 145m Americans breached.
The nine-count indictment accused the Chinese military of hacking into Equifax’s computer networks, maintaining unauthorised access to them and stealing sensitive, personally identifiable information about US residents.
Charges were levied against Wu Zhiyong, Wang Qian, Xu Ke and Liu Le, who are members of the People’s Liberation Army’s (PLA) 54th Research Institute, a component of the Chinese military. It is the latest in a number of US cases pointing the alleged work of Chinese spies, including the Marriott hotel breach last year and the hacking of the US Office of Personnel Management in 2015.
“This was one of the largest data breaches in history,” said attorney general William Barr. “This was a deliberate and sweeping intrusion into the private information of the American people.”
In the summer 2017 breach, hackers stole names, birth dates and social security numbers among other data from the credit reporting agency. British and Canadian nationals were also affected.
Barr added: “Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us.”
The indictment alleged the four hackers spent several weeks running queries to identify Equifax’s database structure and searching for sensitive, personally identifiable information within Equifax’s system. They routed traffic through approximately 34 servers located in nearly 20 countries to hide their true location.
Once they accessed files of interest, the conspirators are alleged to have then downloaded and exfiltrate the stolen data from Equifax’s network to computers outside the US. The DoJ said that in total, the attackers ran approximately 9,000 queries on Equifax’s system, obtaining personal information for nearly half of all US citizens.
The indictment also charges the four with stealing trade secret information, namely Equifax’s data compilations and database designs.
“In short, this was an organised and remarkably brazen criminal heist of sensitive information of nearly half of all Americans, as well as the hard work and intellectual property of an American company, by a unit of the Chinese military,” said Barr.
Equifax was ordered to pay up to $700m in fines as part of a settlement with the federal government in July last year. US congressional committees laid into Equifax and its former chief executive Richard Smith in a series of hearings for not properly rolling out publicly available security patches across its network, leaving it vulnerable to a breach.
The firm was also given a £500,000 fine by the UK’s Information Commissioner’s Office – the maximum penalty possible, as the incident occurred before General Data Protection Regulation (GPDR) came into effect in 2018.
Equifax’s current chief executive Mark Begor said: “It is reassuring that our federal law enforcement agencies treat cybercrime – especially state-sponsored crime – with the seriousness it deserves.”