The US Department of Justice has announced the indictment of four Chinese nationals allegedly working as hackers for the Chinese People’s Liberation Army. According to the indictment, the four accessed Equifax Inc’s online dispute portal between May and July 2017, and obtained personally identifiable information – including names, birth dates and social security numbers — of 145 million Americans, about half of the total US population. Additional PII such as driver’s license numbers and credit card numbers of ten million and 200,000 American consumers, respectively, was also obtained by the hackers, along with information pertaining to nearly one million citizens of the United Kingdom and Canada.
According to the indictment, which was filed under seal on January 28, 2020, the hackers exploited a vulnerability in the Apache Struts Web Framework, an open-source software used for web application development, to access Equifax’ dispute resolution portal, after Apache disclosed the existence of the vulnerability on March 7, 2017. The indictment alleges that the hackers rerouted the information through servers in twenty countries, and deleted internal Equifax activity logs that might have enabled detection.
The charges include conspiracy to commit computer fraud, conspiracy to commit economic espionage, conspiracy to commit wire fraud, wire fraud, unauthorized access, intentional damage to a protected computer, and economic espionage.
Equifax released a statement expressing the company’s gratitude to the DOJ for “their tireless efforts in determining that the military arm of China was responsible for the cyberattack on Equifax in 2017.” Court approval of the company’s multidistrict consumer data breach settlement was granted on January 13, 2020, which included a payment of at least $380,500,000 into a fund for class benefits, attorneys’ fees and expenses. In its announcement following the indictment, Equifax stated that it is spending $1.25 billion on enhanced security and technology, and that the company has made “tremendous progress toward embedding security into everything we do,” adding that the government’s announcement of the indictments “is another positive step forward in helping us turn the page on the cybersecurity attack as we continue our focus on being a leader in data security.”