Attorney General William Barr on Monday announced indictments against four members of the Chinese military for hacking into the systems of credit agency Equifax in 2017, stealing the personal information of more than 145 million Americans in one of the biggest data breaches in history.
The nine-count indictment alleges that four members of the Chinese People’s Liberation Army (PLA)— Wu Zhiyong, Wang Qian, Xu Ke and Liu Le — worked to steal personal information including Social Security numbers and drivers license numbers.
“This was a deliberate and sweeping intrusion into the private information of the American people,” Barr said on Monday. “Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us.”
The indictment, which was passed down by a federal grand jury in Atlanta, also charged the four Chinese nationals with stealing trade secrets, such as Equifax’s database designs, and noted that the defendants took steps to evade detection, such as routing online traffic through servers in 20 different countries to mask their location.
“This was an organized and remarkably brazen criminal heist of sensitive information of nearly half of all Americans, as well as the hard work and intellectual property of an American company, by a unit of the Chinese military,” Bar said.
The four defendants allegedly were able to hack into Equifax’s system through a vulnerability in the company’s online dispute portal. Through this vulnerability, the hackers spent weeks in the company’s system and allegedly were able to download and store the stolen information on servers outside of the United States.
The defendants were charged with three counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage, and conspiracy to commit wire fraud.
Barr noted during a press conference on Monday that charges are not normally brought against foreign intelligence or military individuals, but that “the deliberate, indiscriminate theft of vast amounts of personal data of civilians cannot be countenanced.”
Equifax announced the breach in 2017, which compromised Social Security numbers, birthdates, home addresses, and driver license numbers. The company settled with the Federal Trade Commission (FTC) last year and agreed to pay $575 million in fines, along with $300 million towards a victim’s compensation fund and an additional $125 million if that fund runs out.
Equifax also agreed to significantly step up its cybersecurity protections and submit annual assessments to the FTC of its security status.
Only $31 million of the compensation fund was available for cash claims by victims of the data breach, with the FTC caught off guard last year by the high amount of people who opted for a cash settlement over free credit monitoring.
Equifax CEO Mark Begor said in a statement on Monday that the company was “grateful” to both the Justice Department and the FBI for their work to prosecute the data breach, noting that “the attack on Equifax was an attack on U.S. consumers as well as the United States.”
“We recognize that cybersecurity issues impact our entire industry, and we will continue to work openly with our peers, customers and partners, to tackle emerging security challenges, document best practices, provide vital data security thought leadership, and work together to deliver solutions that benefit both the security community and consumers,” Begor said. “Working together is the only path to defend against these attacks.”
Both Barr and FBI Deputy Director David Bowdich emphasized Monday that Equifax fully collaborated with the federal government throughout the investigation.
Bowdich also noted that the data stolen from Equifax has thus far not been used by the defendants and that he saw the theft as “broad collection” instead of “targeted intelligence work.”
“The size and the scope of this investigation—affecting nearly half of the U.S. population—demonstrates the importance of the FBI’s mission and our enduring partnerships with the Justice Department and the U.S. Attorney’s Office,” Bowdich said. “This is not the end of our investigation; to all who seek to disrupt the safety, security, and confidence of the global citizenry in this digital connected world, this is a day of reckoning.”
The announcement of the indictment came less than a week after Barr said during an event at the Center for Strategic and International Studies that the Justice Department was focused on Chinese hacking and espionage activities and that “you should expect more indictments and prosecutions in the future” for these activities.
Updated at 11:27 a.m.