UPDATED 15:20 EDT / FEBRUARY 10 2020

SECURITY

US charges four members of Chinese military over 2017 Equifax data breach

U.S. Attorney General William Barr announced today that four members of China’s military have been charged in connection with the 2017 Equifax Inc. breach that compromised the personal data of over 145 million Americans.

A grand jury in Atlanta handed down a nine-point indictment on Jan. 28. Chinese People’s Liberation Army operatives Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei face charges of wire fraud, economic espionage, conspiracy to commit computer fraud and unauthorized access and intentional damage to a protected computer among others.

Justice Department officials described the Equifax breach as the largest state-sponsored theft of personally identifiable information ever recorded. The hack unfolded over three months from May to June of 2017 after the attacks gained initial access to the credit bureau’s network via an insecure deployment of Apache Struts, a web development framework.

The vulnerable Apache Struts deployment powered a web portal that the company operated to let consumers dispute inaccurate information on their credit reports. After gaining access to the portal, the hackers stole login credentials that enabled them to broaden their access Equifax’s systems. They spent the next few weeks running some 9,000 queries against the credit bureau’s database to gather information on consumers.

The hack exposed the names, birth dates and Social Security numbers of more than 145 million Americans, while a smaller number of people also had their driver’s license details and passports compromised as well. Some 15.2 million more consumers were affected in the U.K., including 693,665 who had sensitive personal information stolen.

In addition to the data theft, the Justice Department accuses the four defendants of using the attack to steal trade secrets, namely Equifax’s data compilations and database designs.

The disclosure of the breach in 2017 drew a strong public reaction that culminated with a Congressional investigation. In a report published a year later, the House Oversight Committee concluded that Equifax could have prevented the breach by downloading a security patch for the vulnerable Apache Struts deployment. Regulators fined the company $700 million over the hack and then-Chief Executive Officer Richard Smith stepped down.

“Today’s announcement of these indictments further highlights our commitment to imposing consequences on cybercriminals no matter who they are, where they are, or what country’s uniform they wear,” FBI Deputy Director David Bowdich said in a statement. 

Photo: ajturner/CC by 2.0

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU