ATLANTA (CN) —Four members of China’s military have been charged with hacking into the computer systems of credit reporting agency Equifax in 2017 and stealing the personal information of nearly half of all Americans.
In a nine-count indictment unsealed Monday, four members of China’s People’s Liberation Army were charged with conspiring to hack into Equifax’s computer networks, gaining and maintaining unauthorized access to those computers, and stealing the sensitive, personally identifiable information of about 145 million American victims. The defendants are also accused of stealing Equifax’s trade secrets.
In a statement Monday, Attorney General William Barr said the massive hack “fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information.”
“Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us,” Barr said.
According to the Jan. 28 indictment handed down by an Atlanta grand jury, Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei exploited a vulnerability in Equifax’s online dispute portal to obtain login credentials that could be used to access and navigate Equifax’s network.
The defendants were allegedly able to run about 9,000 queries on Equifax’s system to obtain names, birth dates, and social security numbers for millions of Americans.
The hackers took steps to avoid detection, concealing their true location by routing traffic through approximately 34 servers located in nearly 20 countries and wiping daily log files to hide records of their activity, the Justice Department said.
Equifax did not notice the intrusion into its databases for more than six weeks.
The indictment charges the defendants with three counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage, and conspiracy to commit wire fraud. The defendants are also charged with two counts of unauthorized access and intentional damage to a protected computer, one count of economic espionage, and three counts of wire fraud.
Equifax disclosed the breach in September 2017. The credit bureau agreed to pay a $650 million settlement in July 2019 to resolve claims and class-action lawsuits stemming from the exposure of sensitive personal information.
In a statement Monday, Equifax CEO Mark Begor praised the Justice Department and the FBI for their “tireless efforts” in uncovering the perpetrators behind the cyberattack.
“It is reassuring that our federal law enforcement agencies treat cybercrime – especially state-sponsored crime – with the seriousness it deserves, and that the Justice Department is committed to pursuing those who target U.S. consumers, businesses and our government,” Begor said in the statement.
“The attack on Equifax was an attack on U.S. consumers as well as the United States,” he added.