A grand jury in Atlanta handed down a nine-count indictment charging four members of the Chinese People’s Liberation Army – Wang Qian, Wu Zhiyong, Xu Ke, and Liu Lei – with conspiring to hack Equifax, damaging the company’s computer systems, wire fraud and economic espionage. Attorney General William Barr announced the indictments in a press conference in Washington on Monday.
“The hackers broke into Equifax’s network through a vulnerability in the company’s dispute resolution website,” Barr said. “Once in the network, the hackers spent weeks conducting reconnaissance, uploading malicious software, and stealing login credentials, all to set the stage to steal vast amounts of data from Equifax’s systems.”
The Equifax data theft is the latest in a series of Chinese hacks, Barr said.
“For years, we have witnessed China’s voracious appetite for the personal data of Americans, including the theft of personnel records from the U.S. Office of Personnel Management, the intrusion into Marriott hotels, and Anthem health insurance company, and now the wholesale theft of credit and other information from Equifax,” Barr said. “This data has economic value, and these thefts can feed China’s development of artificial intelligence tools as well as the creation of intelligence targeting packages.”
U.S. regulators last year accused Equifax of failing to patch a known security flaw that enabled the hackers to swipe about 147 million names and dates of birth, 145.5 million Social Security numbers and 209,000 payment card numbers and expiration dates in 2017. It was one of the largest data breaches in U.S. history.
The Federal Trade Commission also said Equifax stored Social Security numbers and other consumer data in plain text files, which makes them more vulnerable to criminal activity. As part of the deal, Equifax agreed to meet a set standard for security systems and protocols.
In July, Equifax agreed to pay up to $700 million to settle federal and state investigations. The settlement requires Equifax to pay at least $575 million that includes $300 million for credit monitoring services, $175 million to states and $100 million in penalties to the Consumer Financial Protection Bureau.