The US Department of Justice (DOJ) has charged four members of the Chinese military with hacking into one of America’s largest credit reporting agencies and stealing the personal data of around half of all US citizens.
The alleged hack of Atlanta-headquartered Equifax also allowed the hackers, determined by the DOJ to be members of the People’s Liberation Army (PLA), to obtain trade secrets related to the company’s database designs.
“This was an organised and remarkably brazen criminal heist of sensitive information of nearly half of all Americans,” US General Attorney William Barr, unveiling the nine-count indictment, said on Monday.
The four individuals alleged to have committed the 2017 cyberintrusion – Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei – were part of the PLA’s 54th Research Institute, the DOJ said. Their names are now listed on the FBI’s “most wanted” online database.
As well as obtaining the names, birth dates and social security numbers of around 145 million American citizens, the hackers also collected the driver license details of at least 10 million individuals and the credit card information of 200,000 people, according to the indictment.
FBI deputy director David Bowdich described the hack as the “largest theft of sensitive PII [personal identifiable information] by state-sponsored hackers ever recorded”.
The indictment, which was handed down by a grand jury in Atlanta, marked the culmination of more than two years of investigation conducted by officials from the FBI and DOJ, and in close coordination with Equifax.
The nine criminal charges brought by the 21-page indictment cover computer fraud, economic espionage and wire fraud, and are related to actions taken between May and July of 2017.
Detailing the methods employed in the breach, the indictment alleged that the hackers exploited vulnerabilities in software used by Equifax through which users could dispute possible inaccuracies in their records.
To mask their identities, the hackers were alleged to have used some 34 IP addresses in 20 counties, employed encrypted communication channels and wiped log files on a daily basis, said DOJ officials.
As one of the US’ top credit reporting agencies, Equifax collates and stores consumer information of tens of millions of Americans, data that it then sells to companies seeking to evaluate an individual’s credit rating or verify their identity.
With the DOJ action, the US was reminding China that it had the capability “to remove the Internet’s cloak of anonymity and find the hackers that [the] nation repeatedly deploys against us”, Barr said.
Though there was not yet any evidence of misuse of the obtained data, the FBI’s Bowdich said it could be readily monetised, adding that the relationship between a healthy economy and national security was something “China recognises very well”.
Personal information could also be used to direct targeted packages to US government officials, he said.
Monday’s announcement marked the latest in a rapidly growing list of criminal cases the DOJ has brought against Chinese entities over economic espionage, which officials say costs the US hundreds of billions of dollars each year.
Currently, the FBI is pursuing around 1,000 investigations related to China’s alleged theft of US trade secrets in all 56 of its field offices, bureau director Christopher Wray said at a conference in Washington last week.
Those actions have dovetailed with the US administration’s efforts to secure commitments from Beijing to alter its trade and economic practices, but have also accompanied a rise in complaints of racial profiling by Chinese-Americans, particularly those working in advanced or sensitive technologies.
As has become something of a scripted asterisk for law enforcement and justice officials speaking out against Beijing’s alleged acts of cyberintrusion and economic espionage, Bowdich emphasised during Monday’s press conference that the DOJ’s action was an indictment of China's government, not its people.
“Confronting this threat effectively does not mean we should not do business with China, host Chinese students, welcome Chinese visitors or coexist with China as a country on the world stage,” he said.
“What it does mean,” Bowdich continued, “is that when China violates our criminal laws and international norms, we will not tolerate it and we will hold them accountable for it.”