The Department of Justice unveiled charges against four members of China’s military for allegedly hacking into the credit agency Equifax and stealing personal information of millions of Americans in 2017. Equifax holds data on more than 820 million consumers and information on 91 million businesses. As alleged in the indictment,the hackers obtained the birth dates and social security numbers of nearly 145 million Americans and drivers licences of at least 10 million Americans.Some UK and Canadians customers were also affected.
According to Equifax,the hackers accessed the information between mid-May and the end of July 2017. They exploited a vulnerability in a portal on Equifax’s website to steal login credentials used to gain access to databases on the company’s network and once inside the network, ran searches of databases to identify personal information, storing the results in files that were split into smaller pieces to download more efficiently.
The hackers also allegedly routed traffic through 34 servers in nearly 20 countries to try and hide their location. After the hack was identified, Equifax paid a $700m settlement to the Federal Trade Commission and at least $300M of the settlement went towards paying the victims for identity theft services and other related expenses.
This is one of the largest data breaches in US history according to Attorney General William Barr. The four charged are all members of the 54th Research Institute, a component of China’s People’s Liberation Army and they are: Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei. A federal grand jury in Atlanta returned the nine-count indictment on charges of computer fraud, economic espionage and wire fraud. The men have not been taken into custody and are considered wanted by the FBI.
China has not yet commented on the charges.
This is not the first time the US has charged members of the Chinese military with hacking US companies. The first indictment came back in 2014 after five military hackers stole trade secrets from six American companies in the nuclear, power, metal and solar industries.This incident lead to a deal the following year to try and restrain such activity.