The US Justice Department on Monday charged four members of China’s People’s Liberation Army in connection with the Equifax hack, one of the largest data breaches in US history.
The four alleged Chinese military hackers are listed as Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei, according to the indictment. They are charged with computer fraud, economic espionage and wire fraud.
“This is the largest theft of sensitive [personally identifiable information] by state-sponsored hackers ever recorded,” FBI deputy director David Bowdich said at a press conference on Monday.
The Chinese embassy didn’t immediately respond to a request for comment.
This is only the second time the Justice Department has indicted Chinese military hackers, Bowdich said. The first time was in 2018, when the US charged Chinese hackers with theft from NASA and the technology sector.
In a statement, Equifax CEO Mark Begor thanked the Justice Department for its investigation and said it’s increasingly difficult to protect companies from hacks by “well-financed nation-state actors that operate outside the rule of law.”
“It is reassuring that our federal law enforcement agencies treat cybercrime — especially state-sponsored crime — with the seriousness it deserves, and that the Justice Department is committed to pursuing those who target U.S. consumers, businesses and our government,” Begor said. “The attack on Equifax was an attack on U.S. consumers as well as the United States.”
The 2017 cyberattack on Equifax affected 147.7 million Americans, and the hackers got access to names, Social Security numbers, birthdates and addresses. In July 2019, the credit-monitoring agency settled with the Federal Trade Commission to pay at least $575 million over its security failures.
“This data has economic value and these thefts can feed China’s development of artificial intelligence tools as well as the creation of intelligence-targeting packages,” Attorney General William Barr said.
At the time the hack was revealed, Equifax’s then-CEO Rick Smith blamed a months-old server flaw that the company failed to patch.
According to the indictment, the four hackers took advantage of the unpatched vulnerability and infiltrated Equifax’s servers on July 30, 2017. The company blamed the security failure on a single employee, despite the fact that the vulnerability had been known about for at least two months.
A congressional committee said in a 2018 report that the hack was “entirely preventable.”
On Monday, Sen. Mark Warner, a Democrat from Virginia, echoed that point.
“The indictment does not detract from the myriad of vulnerabilities and process deficiencies that we saw in Equifax’s systems and response to the hack,” Warner said in a statement. “A company in the business of collecting and retaining massive amounts of Americans’ sensitive personal information must act with the utmost care — and face any consequences that arise from that failure.”
Sen. Ron Wyden, a Democrat from Oregon, also challenged the company over its security shortcomings.
“There’s no separating privacy and national security,” Wyden said in a statement. “When companies like Equifax amass vast stores of sensitive personal information and then cut corners on security, they become irresistible targets for unfriendly regimes like China.”
Equifax said it’s completely overhauled its security practices since the breach and invested $1.25 billion in security improvements, Jamil Farshchi, the company’s chief information security officer, said.
The Equifax security chief noted that the company continues to fend off attempted cyberattacks every day, and expects hacks to escalate in the future. He said that given how dedicated the Chinese military hackers were, a breach could still have happened even if the vulnerability had been patched.
“They’re extraordinarily sophisticated,” Farshchi said in an interview. “I would say that it’s possible.”
Once the hackers had access to Equifax’s networks, the hackers allegedly stole login credentials and sensitive personally identifiable information on Equifax’s databases, as well as trade secrets, according to court documents. Prosecutors said the Chinese military hackers attempted to cover their tracks by using about 34 servers located in nearly 20 countries, including hosting services outside of China.
Court documents claimed that the alleged hackers also used encrypted communications within Equifax’s network to blend in with the company’s normal activities.
Barr said the Justice Department normally doesn’t bring charges against military officers of another country, but noted that there were exceptions, as in Equifax’s case.
“Equifax’s cooperation throughout the investigation was critical to our development throughout this case,” Barr said.