By Ryan Lucas and Philip Ewing
The Justice Department announced charges Monday against four members of the Chinese military for allegedly hacking the credit bureau Equifax in 2017 and stealing the personal information of around 145 million Americans.
In an indictment handed up by a grand jury in Atlanta, the men face nine counts including conspiracy to commit computer fraud and conspiracy to commit economic espionage.
Attorney General William Barr, who announced the charges, called it the latest example of what he said was a sweeping campaign by China’s government to steal seemingly endless amounts of data from the United States.
“Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets and other confidential information,” Barr said.
Equifax, which is based in Atlanta, compiles information on millions of Americans as part of the loan and finance system. Last year, it agreed to pay up to $700 million in fines and monetary relief to consumers.
The four men who have been charged are members of the 54th Research Institute of the People’s Liberation Army, according to the indictment.
The defendants illegally accessed Equifax’s network through a vulnerability in the company’s online dispute portal, prosecutors say.
Once inside the system, they vacuumed up names, birth dates and social security numbers for 145 million Americans — nearly half of all Americans. They stole credit card numbers and other information for some 200,000 Americans as well as Equifax trade secrets, the indictment says.
“For years, we have witnessed China’s voracious appetite for the personal data of Americans, including the theft of personnel records from the Office of Personnel Management, the intrusion into Marriott Hotels and Anthem health insurance companies, and now the wholesale theft of credit and other information from Equifax,” Barr said.
“This data has economic value,” he added, “and these thefts can feed China’s development of artificial intelligence tools, as well as the creation of intelligence targeting packages.”
The FBI’s deputy director, David Bowdich, said there’s no indication at this point that the stolen information has been used, including to target U.S. government officials.
Prosecutors say the hackers tried to cover their tracks to avoid detection by routing their work through around 34 servers located in nearly 20 countries.
The charges announced on Monday arethe latest against Chinese or China-linked defendants in a string of Justice Department prosecutions, part of what Barr and other officials call a huge wave of espionage activity, including economic, directed at the U.S.
Equifax CEO Mark Begor said in a statement on Monday that his company has tried to keep pace with cybersecurity but the sophistication of threats like that posed by China would test any company or other target.
“Combating this challenge from well-financed nation-state actors that operate outside the rule of law is increasingly difficult,” he said. “Fighting this cyberwar will require the type of open cooperation and partnership between government, law enforcement and private business that we have experienced firsthand.”
Sen. Ben Sasse, R-Neb., called on the government to do more along these lines because, he said, “warning lights are still flashing red,” alluding to earlier big compromises of official and private-sector networks.
“The Chinese Communist Party will leave no stone unturned in its effort to steal and exploit American data,” Sasse said. “These indictments are good news, but we’ve got to do more to protect Americans’ data from Chinese Communist Party influence operations.”