Updated at 11:19 a.m. Tuesday
Four members of the Chinese military have been charged with breaking into the networks of the Equifax credit reporting agency and stealing the personal information of tens of millions of Americans, the Justice Department said Monday, blaming Beijing for one of the largest hacks in history to target consumer data.
The criminal charges were filed in federal court in Atlanta, where the company is based.
The 2017 breach affected more than 145 million people, with the hackers successfully stealing names, Social Security numbers and other personal information stored in the company’s databases.
The four — members of the People’s Liberation Army, an arm of the Chinese military — are also accused of stealing the company’s trade secrets, including database designs, law enforcement officials said. The accused hackers exploited a software vulnerability that enabled them to obtain login credentials and navigate the company’s network while searching for personal information.
The case comes as the Trump administration has warned against what it sees as the growing political and economic influence of China, and efforts by Beijing to collect data on Americans and steal scientific research and innovation. The administration has also been pressing allies not to allow Chinese tech giant Huawei to be part of their 5G wireless networks due to cybersecurity concerns.
The accused hackers are based in China and none is in custody. But U.S. officials nonetheless view the criminal charges as a powerful deterrent to foreign hackers and a warning to other countries that American law enforcement has the capability to pinpoint individual culprits behind hacks.
“It really sends a signal to the Chinese government that the U.S. government is angry here…” said Peter Swire, a professor in the Scheller College of Business at Georgia Tech. “It raises cybersecurity up on the list of negotiating issues. It shows that the U.S. government is really concerned here and that China shouldn’t do this with impunity.”
Federal authorities echoed those thoughts.
“This was a deliberate and sweeping intrusion into the private information of the American people,” Attorney General William Barr said in a statement Monday announcing the case.
“Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us,” he added.
The case is one of several the Justice Department has brought over the years against members of the PLA. The Obama administration in 2014 charged five Chinese military hackers with breaking into the networks of major American corporations to siphon trade secrets.
A spokesperson for the Chinese embassy did not immediately return an email seeking comment Monday.
Equifax last year reached a $700 million settlement over the data breach, with the bulk of the funds intended for consumers affected by it.
“When you are a company that has sensitive personal information, you’ve got to make sure that it is being handled appropriately and legally,” said Georgia Attorney General Chris Carr. “That doesn’t mean that we don’t also then go after the criminals as well. So it’s kind of two sides of the coin: make sure that you fix the problem that occurred and hold those accountable on that side. But making sure that the criminals are being held accountable as well. It’s a two-part process in my mind.”
The indictment details efforts the hackers took to cover their tracks, including wiping log files on a daily basis and routing traffic through dozens of servers in nearly 20 countries. It includes charges of conspiracy to commit computer fraud, conspiracy to commit economic espionage and conspiracy to commit wire fraud.
Equifax didn’t notice the intruders targeting its databases for more than six weeks. Hackers exploited a known security vulnerability that Equifax hadn’t fixed.
Once inside the network, officials said, the hackers were able to download and exfiltrate data from Equifax to computers outside the United States.
According to the Government Accountability Office, the investigative arm of Congress, a server hosting Equifax’s online dispute portal was running software with a known weak spot. The hackers jumped through the opening to reach databases containing consumers’ personal information.
Equifax officials told GAO the company made many mistakes, including having an outdated list of computer systems administrators. When the company circulated a notice to install a patch for the software vulnerability, the employees responsible for installing the patch never got it.
Equifax’s $700 million settlement with the U.S. government gives affected consumers free credit-monitoring and identity-restoration services, plus money for their time or reimbursement for certain services. However, because so many people made claims, officials said some consumers would get far less than the eligible amounts because of caps in the settlement pool.
WABE producer Grace Walker contributed to this report.