Chinese hackers indicted in Atlanta over 2017 Equifax data breach

A federal grand jury indicted four members of China's People's Liberation Army for the Equifax data breach on Monday.

Equifax headquarters, Atlanta. (Photo: John Disney/ALM)

Four members of the Chinese People’s Liberation Army have been charged with the 2017 hack of Atlanta-based credit reporting agency Equifax that compromised the personal and financial data of an estimated 147 million people, U.S. Attorney General William Barr announced Monday. 

Barr said all four were members of the 54th Research Institute, a division of the Chinese military.

“We remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us,” Barr said.

Barr said the hack “fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information.” 

Defendants Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei were indicted by a federal grand jury in Atlanta on multiple counts associated with stealing trade secret information — including conspiracy to commit computer fraud, conspiracy to commit economic espionage and conspiracy to commit wire fraud. They also are charged with two counts of unauthorized access and intentional damage to a protected computer.

The Chinese Embassy in Washington, D.C., did not immediately respond to a request for comment.

Indictment charges outline hackers’ crimes and Equifax’s failures

According to the indictment, the hackers obtained names, birthdates and Social Security numbers for nearly half the U.S. population, driver’s license numbers for at least 10 million people and credit card numbers and other identifying information for approximately 200,000 people.

They also obtained personal identifying information for nearly one million citizens of the United Kingdom and Canada, the indictment alleges.

The defendants were able to use a software vulnerability to gain entry to Equifax’s online dispute portal, Barr said.

The indictment said Equifax failed to act on a warning to fix a software exploit in its online dispute portal used by people to research and dispute potential inaccuracies in their credit reports.

Barr said the defendants routed traffic through an estimated 34 servers in 20 countries to evade detection, used encrypted communication channels within Equifax’s own network and deleted files daily to eliminate traces of their illicit presence.

The hackers also used Equifax database service credentials to falsely represent they were authorized users of the credit reporting agency network, the indictment said. The hackers ran at least 9,000 queries on Equifax’s system, the majority of which were generated through two China-based IP addresses connected directly to Equifax’s network, the indictment said. The conspirators then stored stolen information in temporary files, which they downloaded, the indictment said.

Equifax CEO Mark Begor on Monday called the breach “an attack on U.S. consumers as well as the United States.”

Begor said cybercrime “is an ongoing battle that every company will continue to face as attackers grow more sophisticated” and will “require the type of open cooperation and partnership between government, law enforcement and private business.”

Begor also made note of the credit reporting agency’s intent to spend $1.25 billion on enhancing its security and technology, a provision included in Equifax’s $1.4 billion class-action settlement with consumers whose data was stolen.

The fallout for Equifax

In a joint statement Monday, co-counsel for the consumer class plaintiffs—Kenneth Canfield of Atlanta’s Doffermyre Shields Canfield & Knowles, Amy Keller of Chicago’s DiCello and Norman Siegel of Stueve Siegel Hanson in Kansas City—said the settlement they negotiated “certainly considered that a foreign government was responsible for the breach, which is why we insisted Equifax implement strong measures to prevent future attacks, provided a mechanism for monitoring a decade into the future.”

The indictments announced Monday follow earlier convictions of two former Equifax employees in Atlanta associated with the 2017 hack.

Jun Ying, the former chief information officer of Equifax U.S. Information Solutions, was sentenced to four months in prison and fined $55,000 for engaging in insider trading ahead of Equifax’s public announcement of the data breach.

Ying exercised all of his vested stock options and sold more than 6,800 shares for nearly $1 million prior to public disclosure of the hack, avoiding more than $117,000 in losses, prosecutors said.

In a separate civil settlement with the U.S. Securities and Exchange Commission, Ying agreed to a $125,636 disgorgement.

In July 2018, Sudhakar Reddy Bonthu—a former software development manager at Equifax—pleaded guilty to violating federal securities laws after he traded his Equifax stock before the data breach was announced. He was sentenced to eight months of home confinement and fined $50,000. In a separate civil settlement with the SEC, Reddy agrees to disgorge $75,167.

See also: