US says Chinese military behind Equifax breach that stole Americans’ personal data
By Eric Tucker and Michael Balsamo
Feb 10, 2020 | 5:58 PM
Four members of the Chinese military have been charged with breaking into the computer networks of the Equifax credit reporting agency and stealing the personal information of tens of millions of Americans, the Justice Department said Monday, blaming Beijing for one of the largest hacks in history to target consumer data.
The 2017 breach affected more than 145 million people, with the hackers successfully stealing names, addresses, Social Security and driver's license numbers and other personal information stored in the company's databases. It damaged the company's reputation and also underscored China's aggressive and sophisticated intelligence-gathering methods.
The case is the latest U.S. accusation against Chinese hackers suspected of breaching networks of American corporations, including steel manufacturers, a hotel chain and a health insurer. It comes as the Trump administration has warned against what it sees as the growing political and economic influence of China, and efforts by Beijing to collect data for financial and intelligence purposes and to steal scientific research and innovation.
“The scale of the theft was staggering," Attorney General William Barr said Monday. “This theft not only caused significant financial damage to Equifax, but invaded the privacy of many millions of Americans, and imposed substantial costs and burdens on them as they have had to take measures to protect against identity theft.”
The indictment comes at a delicate time in relations between Washington and Beijing. Even as President Donald Trump points to a preliminary trade pact with China as evidence of his ability to work with the Communist government, other members of his administration have been warning against cybersecurity and surveillance risks posed by China, especially as the tech giant Huawei seeks to become part of new, high-speed 5G wireless networks across the globe.
Experts and U.S. officials say the theft is consistent with the Chinese government's interest in collecting as much information about Americans as possible. The personal data can be easily sold — though officials say there is no evidence of that happening here — and used by Chinese intelligence services eager to target Americans, including possible spies, or find weaknesses and vulnerabilities that can be exploited.
“We have to be able to recognize that as a counterintelligence issue, not a cyber issue," said Bill Evanina, the U.S. government's top counterintelligence official.
The four accused hackers are all suspected members of the People's Liberation Army, an arm of the Chinese military that was blamed in 2014 for a series of intrusions into American corporations.
Prosecutors say they exploited a software vulnerability to gain access to Equifax's computers, obtaining log-in credentials that they used to navigate databases and review records. They also took steps to cover their tracks, according to the indictment, wiping log files on a daily basis and routing traffic through dozens of servers in nearly 20 countries.
Besides stealing personal information, the hackers also made off with some of the company's sensitive trade secrets, including database designs, law enforcement officials said.
Equifax, headquartered in Atlanta, maintains a massive repository of consumer information that it sells to businesses looking to verify identities or assess creditworthiness. All told, the indictment says, the company holds information on hundreds of millions of people in America and abroad,
The accused hackers are based in China and none is in custody. But U.S. officials nonetheless hope that criminal charges like the ones brought in this case can be a deterrent to foreign hackers and a warning to other countries that American law enforcement has the capability to pinpoint individual culprits.
A spokesperson for the Chinese Embassy in Washington did not return an email seeking comment Monday.
The case resembles a 2014 indictment by the Obama administration Justice Department that accused five members of the PLA of hacking into major American corporations to steal trade secrets. U.S. authorities also suspect China in the massive 2015 breach of the federal Office of Personnel Management and of intrusions into the Marriott hotel chain and Anthem health insurance company.
Such hacks “seem to deliberately cast a wide net” so that Chinese intelligence analysts can, by cross-referencing these different illicitly acquired data sources, get deep insight into the lives of many Americans, said Ben Buchanan, a Georgetown University scholar and author of the upcoming book “The Hacker and the State.”
“This could be especially useful for counterintelligence purposes, like tracking American spies posted to Beijing," Buchanan said.
Barr said the U.S. has for years “witnessed China's voracious appetite for the personal data of Americans."
“This kind of attack on American industry is of a piece with other Chinese illegal acquisitions of sensitive personal data," Barr said.
The criminal charges — which include conspiracy to commit computer fraud and conspiracy to commit economic espionage — were filed in federal court in Atlanta.
The Evening Sun Newsletter
Get your evening news in your e-mail inbox. Get all the top news and sports from the baltimoresun.com.
Equifax last year reached a $700 million settlement over the data breach, with the bulk of the funds intended for consumers affected by it.
The company didn’t notice the intruders targeting its databases for more than six weeks. Hackers exploited a known security vulnerability that Equifax hadn’t fixed.
Equifax officials told the Government Accountability Office the company made many mistakes, including having an outdated list of computer systems administrators. When the company circulated a notice to install a patch for the software vulnerability, the employees responsible for installing the patch never got it.
While company stock has recovered, Equifax's reputation has not fully. The company was dragged in front of Congress no less than four times to publicly explain what happened.
The company is about to start paying out claims on its $700 million settlement, of which more claimants have opted in to getting a cash settlement than accept credit counseling. So many claims have been made for the cash, that the lawyers suing Equifax and the Federal Trade Commission have warned claimants that the chances of getting the full cash value of the settlement was unlikely.