The Equifax data breach that exposed the personal data of 147 million people was the work of Chinese military hackers, according to a recent indictment made public by the Justice Department.
The Justice Department announced formal charges against four members of the 54th Research Institute, a division of the Chinese People’s Liberation Army. The four accused men – Wu Zhiyong, Wang Quian, Xu Ke and Liu Lei – are charged with computer fraud, wire fraud, economic espionage and conspiracy to commit computer fraud, wire fraud and economic espionage.
According to the indictment, in 2017 the hackers stole names and Social Security numbers from 145 million Americans as well as drivers’ license numbers and credit card numbers from millions. The Equifax data breach represented the obtainment of personally identifiable information (PII) for nearly half of America’s citizens.
The breach has been blamed on Equifax’s failure to install recommended updates to Apache Struts software, an open-source software package used for web applications. The software was used to maintain an online dispute portal that enabled consumers to research and dispute credit report inaccuracies.
FBI Deputy Director David Bowdich said there’s no evidence the stolen information was used for illegal purposes, but it showed that China is one of the most significant threats to national security.
According to the indictment, the four charged men:
- Determined that Equifax had neglected to install a recommended upgrade to Apache Struts software, which created a security flaw.
- Used the flaw to upload programming language to an Equifax server that allowed remote system access.
- Uncovered Equifax database credentials and gained unauthorized access to Equifax’s network.
- Searched the system thousands of times for PII.
- Stored the PII in temporary files and compressed them into smaller files to aid in undetected transmission.
- Used servers in multiple countries to disguise the origin of the hack.
“The scale of the theft was staggering,” Attorney General William P. Barr said. “This theft not only caused significant financial damage to Equifax but invaded the privacy of many millions of Americans and imposed substantial costs and burdens on them as they have had to take measures to protect against identity theft.”
Following the data breach, Equifax faced a class-action lawsuit and agreed to pay $380.5 million to data breach victims as well as up to $1 billion for security upgrades along with $175 million to 48 states and $100 million to the Consumer Financial Protection Bureau. Equifax officials have agreed to pay $1.4 billion in litigation expenses as well.