On Monday morning, the Department of Justice announced the indictment of four members of China’s military in connection with the 2017 hack of credit reporting agency Equifax, which exposed sensitive information for some 150 million Americans in 2017.
According to the indictment, the group hacked into Equifax’s systems in Alpharetta, Georgia, starting in May 2017, exploiting a vulnerability in the Apache Struts framework used by Equifax. The massive breach exposed names, Social Security numbers, birthdates, addresses, and, in some cases, driver’s license numbers, with credit card numbers for more than 200,000 people and other personally identifying information for approximately 182,000 people also compromised.
“The scale of the theft was staggering,” Attorney General William Barr said in a press conference. “The deliberate, indiscriminate theft of vast amounts of sensitive personal data of civilians, as occurred here, cannot be countenanced.”
It’s the second time the DOJ has indicted members of China’s People’s Liberation Army (PLA) in an economic espionage case. In 2014, the Obama administration announced 31 charges of economic espionage, trade secret theft, identity theft, conspiracy to commit computer fraud, and other related crimes against five PLA officers. (China denied involvement.) At the time, the indictment was seen as an unprecedented expansion of domestic criminal powers, although such charges have grown more common in the wake of that case.
In this case, prosecutors have charged the four PLA members with conspiracy to commit computer fraud, conspiracy to commit economic espionage, and conspiracy to commit wire fraud.
These were not the first charges the Justice Department has brought in connection with the breach. In July, former Equifax CIO Jun Ying was sentenced to four months in prison for insider trading for selling his stock options after learning about the breach.
FBI Deputy Director David Bowdich told reporters this morning that there was not evidence “at this time” that the exposed Equifax data was being used. But Bowdich expressed frustration about what he sees as the general attitude toward data breaches.
“We’ve almost become, as a country, immune to these breaches,” said Bowdich, adding that Americans have become used to reading about a breach and then signing up for credit card monitoring. “We cannot think like that. American businesses can not be complacent about protecting their data and intellectual property from our adversaries. American citizens cannot be complacent about protecting their sensitive data.”