Chinese army hackers charged in huge Equifax cyber attack

Equifax was faulted in its response to a huge data breach in 2017. The attack was engineered by a Chinese army unit, the Justice Department alleged Monday. (AP Photo/Mike Stewart, File)
Equifax was faulted in its response to a huge data breach in 2017. The attack was engineered by a Chinese army unit, the Justice Department alleged Monday. (AP Photo/Mike Stewart, File)

Editor’s note: This article has been updated with additional details.

The U.S. Department of Justice has charged hackers allegedly working for the Chinese government with the 2017 cyber attack on Atlanta-based Equifax.

A federal grand jury in Atlanta returned an indictment charging four members of the Chinese People's Liberation Army with hacking into Equifax systems in a three-month campaign aimed at stealing the personal data of American consumers and the company's trade secrets.

That attack, arguably the worst heist of consumer data on record, led to the theft of data from more than 147 million consumers.

“This was a deliberate and sweeping intrusion into the private information of the American people,” said Attorney General William Barr, in a statement issued Monday. “Today, we hold PLA hackers accountable for their criminal actions.”

Charged were Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei, member of the PLA's 54th Research Institute, a component of the Chinese military, according to the Justice Department.

Attempts by The Atlanta Journal-Constitution to reach the Chinese Embassy for comment Monday were unsuccessful.

The hackers obtained access to “names, birth dates and social security numbers for nearly half of all American citizens,” according to the Justice Department.

The data hack fit “a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China,” Barr said.

However, law enforcement is capable of tracking such attacks, he said. “We remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us.”

The investigation was conducted by the U.S. Attorney's Office in Atlanta, along with the Justice Department and the cyber division of the Federal Bureau of Investigation.

Equifax cooperated in the investigation, the Justice Department said.

In a statement Monday, Equifax CEO Mark Begor said the company was grateful to the law enforcement agencies for the investigation.

“It is reassuring that our federal law enforcement agencies treat cybercrime – especially state-sponsored crime – with the seriousness it deserves,” he said. “The attack on Equifax was an attack on U.S. consumers as well as the United States.”

The company disclosed the breach in September 2017, eventually acknowledging that the breach had continued for 76 days and exposed personal information of about 150 million Americans, as well as millions of others.

The company’s response drew outrage from consumer groups.

Congressional hearings were held, and a number of top executives – including CEO Rick Smith – took early retirement. Those high-ranking executives escaped punishment and departed with healthy retirement packages, although several lower-level executives were charged with insider trading for stock trades made before the breach was publicly revealed.

Several months later, Begor was named to head the company.

Initially, it seemed the fury threatened Equifax’s survival, but no legislative action was taken.

The company in July announced a $700 million-plus settlement with the government that ended legal action stemming from the breach. That deal called for the company to create a consumer restitution fund of up to $425 million, to pay $290.5 million to state and federal regulators and to cover millions of dollars in lawyers’ fees assessed in the many lawsuits filed.

The company has also said it has invested more than $1 billion in improving its security.

Equifax’s stock took a hit after the breach was revealed, but gradually came back.

On Monday morning, Equifax shares dipped slightly on the news of the indictment, trading at about $154 a share, but was still more than $10 higher than before the breach was revealed.

According to the indictment, the hackers exploited a vulnerability in the Apache Struts Web Framework software that was part of the company’s online dispute portal.

The hackers used that access to obtain login credentials that let them navigate the company’s network.

To hide their identities, the hackers routed their interactions through several dozen computer servers in nearly 20 countries, the Justice Department said.