Four Chinese military hackers were charged with hacking into the Equifax credit reporting company in 2017 and stealing the personal information of nearly 150 million Americans, the Department of Justice said Monday.
The nine-count indictment says that the four officers exploited a vulnerability in Equifax's online dispute portal to conduct surveillance on the company’s network and then steal login credentials in what was one of the largest data breaches in history. The hackers managed to spend several weeks inside Equifax's network collecting data, storing it in output files and ultimately downloading it onto computers outside the United States — all while avoiding detection, the indictment says.
The result was the theft of names, birth dates and social security information belonging to approximately 145 million Americans.
"In short, this was an organized and remarkably brazen criminal heist of sensitive information of nearly half of all Americans, as well as the hard work and intellectual property of an American company, by a unit of the Chinese military," Attorney General William Barr said.
The four defendants — Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei — were members of the Chinese People’s Liberation Army’s 54th Research Institute, an arm of the Chinese military, the indictment says.
They each face three counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage, and conspiracy to commit wire fraud, among other charges.
"This was a deliberate and sweeping intrusion into the private information of the American people," Barr said.
"Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information," he added.
The Chinese Embassy in Washington did not respond to a request for comment,
Equifax disclosed the breach in September 2017, setting off a cascade of criticism over its security practices and response to the hack. Then-CEO Richard Smith resigned ahead of congressional hearings as the scandal deepened. The credit-reporting company later agreed to pay up to $700 million to settle federal and state probes — with $425 million set aside for affected customers.
According to the indictment, the hackers gained entry to the Equifax network on March 7, 2017.
The following day, the U.S. government's own Computer Emergency Readiness Team (CERT) warned of the specific vulnerability the Chinese were exploiting but Equifax did not patch its system, charging documents say.
Using this vulnerability, the four officers then allegedly uploaded software which allowed them to conduct reconnaissance of Equifax’s web systems and give them access to login credentials.
Prosecutors allege the officers then ran approximately 9,000 queries on Equifax’s system, using encrypted networks to mask their activity, primarily from two China-based IP addresses that connected directly to Equifax’s network. They used 34 servers located in nearly 20 countries to route the activity and conceal the data breach, the indictment says.
The breach also exposed the driver's license numbers of at least 10 million Americans, and credit card numbers and personal information belonging to nearly 200,000 Americans.
In a statement, Equifax CEO Mark Begor praised the Justice Department and the FBI for their "tireless efforts" in pursuing those responsible for the cyberattack.
"It is reassuring that our federal law enforcement agencies treat cybercrime – especially state-sponsored crime – with the seriousness it deserves, and that the Justice Department is committed to pursuing those who target U.S. consumers, businesses and our government," Begor said.
"The attack on Equifax was an attack on U.S. consumers as well as the United States."