Equifax: US charges four Chinese military officers over huge hack

Media captionUS Attorney General William Barr called the hack “one of the largest data breaches in history”

The US has charged four Chinese military officers over the huge cyber-attack on credit rating giant Equifax.

More than 147 million Americans were affected in 2017 when hackers stole sensitive personal data including names and addresses.

Some UK and Canadian customers were also affected.

China has denied the allegations and insisted it does not engage in cyber-theft.

Announcing the indictments on Monday, Attorney General William Barr called the hack “one of the largest data breaches in history”.

According to court documents, the four – Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei – are allegedly members of the People’s Liberation Army’s 54th Research Institute, a component of the Chinese military.

They spent weeks in the company’s system, breaking into security networks and stealing personal data, the documents said.

The nine-count indictment also accuses the group of stealing trade secrets including data compilation and database designs.

Chinese foreign ministry spokesman Geng Shuang denied the allegations on Tuesday and said China’s government, military and their personnel “never engage in cyber theft of trade secrets”.

He said China was itself a victim of cyber-crime, surveillance and monitoring by the US, Reuters reported.

The whereabouts of the four suspects is unknown and it is highly unlikely that they will stand trial in the US.

FBI Deputy Director David Bowdich said: “We can’t take them into custody, try them in a court of law, and lock them up – not today, anyway.”

What happened in 2017?

Equifax said hackers accessed the information between mid-May and the end of July 2017 when the company discovered the breach.

The accused allegedly routed traffic through 34 servers in nearly 20 countries to try to hide their true location.

Image copyright

Image caption

The FBI released this wanted picture of the suspects

The credit rating firm holds data on more than 820 million consumers as well as information on 91 million businesses.

  • On the inside of a hacking catastrophe

Mr Bowdich said there was no evidence so far of the data being used to hijack a person’s bank account or credit card.

Equifax CEO Mark Begor said in a statement that the company was grateful for the investigation.

“It is reassuring that our federal law enforcement agencies treat cybercrime – especially state-sponsored crime – with the seriousness it deserves.”

Critics have accused the company of failing to take proper steps to guard information and for waiting too long to inform the public about the hack.

Richard Smith, CEO of Equifax at the time of the hacking, resigned a month after the breach. He apologised for the firm’s failings, ahead of testifying in Congress.

Equifax was forced to pay a $700m (£541m) settlement to the Federal Trade Commission.

The US regulator alleged the Atlanta-based firm failed to take reasonable steps to secure its network. At least $300m of the settlement went towards paying for identity theft services and other related expenses run up by the victims.

In a statement Mr Barr said: “This was a deliberate and sweeping intrusion into the private information of the American people.

“Today we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us.”

This is not the first time the US has charged members of the Chinese military with hacking US companies.

The first indictment came back in 2014 and helped lead to a deal the following year to try to restrain such activity.

But clearly the US feels that it needs to return to the weapon of public indictments to increase pressure again.

The US has become increasingly concerned not just at the alleged theft of economic secrets but also the intelligence risks.

Equifax was one of a series of large data breaches linked to China – others include health care providers and, most significantly, the theft of data from the Office of Personnel Management which carried sensitive records for almost all US federal employees.

One of the concerns for US security officials is how Chinese spies may be able to put together these vast databases about US citizens.

Officials say the information could be used to create “targeting packages”, establishing which individuals have access to sensitive information and potential vulnerabilities which would allow them to be approached. They add, though, that so far they have not seen the Equifax information being used for that purpose.