4 Chinese military members charged in Equifax hack

Dive Brief:

Four members of China’s People’s Liberation Army are charged in the 2017 Equifax hack that exposed the personal information of more than 145 million people, the Justice Department announced Monday.
The defendants exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal to acquire login credentials that would let them further navigate the credit bureau’s network, the DOJ said.
The attackers routed traffic through 34 servers in nearly 20 countries to mask their true location, the DOJ said. They also used encrypted communication channels in Equifax’s network to blend in with normal network activity, and deleted compressed files and wiped log files daily to erase records of their activity, the agency said.

Dive Insight:

Financial services companies have more to lose in the aftermath of a breach than government agencies, health care providers or retailers, fellow credit bureau Experian reported in September. Indeed, Equifax’s reputation suffered in the wake of the hack. The company’s CEO, head of cybersecurity and chief information officer resigned in the wake of the incident — and the former CIO would be sentenced to four months in prison for insider trading.

Equifax announced a settlement worth $400 million last year, which would have given $125 to anyone affected by the breach. But settlement funds were later capped at $31 million, and the Federal Trade Commission urged consumers to opt for credit monitoring instead of cash because Equifax would likely have run out of money covering the payments.

The attackers spent several weeks running approximately 9,000 queries on Equifax’s system, obtaining names, birth dates and Social Security numbers, the DOJ said. Deputy FBI Director David Bowditch said the information stolen in the breach has never been used by those who stole it, CNBC reported last year.

Attorney General William Barr called the hack a "deliberate and sweeping intrusion into the private information of the American people."

"We remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us," Barr said. "Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information."

Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei are charged with three counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage and conspiracy to commit wire fraud, the DOJ said. The defendants are also charged with two counts of unauthorized access and intentional damage to a protected computer, one count of economic espionage and three counts of wire fraud.