WASHINGTON — The Justice Department has charged four members of the Chinese military with the 2017 hack at the credit reporting agency Equifax, a massive data breach that compromised the personal information of nearly half of all Americans.
In a nine-count indictment filed in federal court in Atlanta, federal prosecutors alleged that four members of the People's Liberation Army hacked into Equifax's systems, stealing the personal data as well as company trade secrets. In a statement announcing the case, Attorney General William Barr called their efforts "a deliberate and sweeping intrusion into the private information of the American people."
The 2017 breach gave hackers access to the personal information, including Social Security numbers and birth dates, of about 145 million people. Equifax last year agreed to a $700 million settlement with the Federal Trade Commission to compensate victims. Those affected can ask for free credit monitoring or, if they already have such a service, a cash payout of up to $125, though the FTC has warned a large volume of requesters could reduce that amount.
At a news conference announcing the indictment, Barr said that China had a "voracious appetite" for Americans' personal information and pointed to other intrusions he alleged that government's actors had carried out in recent years, including the 2015 hack at the health insurer Anthem, the 2015 hack at the Office of Personnel Management and the 2018 hack at the hotel chain Marriott.
"This data has economic value, and these thefts can feed China's development of artificial intelligence tools," Barr said.
Barr and other U.S. law enforcement officials have in recent weeks taken a particularly aggressive posture toward China. Late last week, Barr warned of that country's bid to dominate the burgeoning 5G wireless market and said the U.S. and its allies must "act collectively" or risk putting "their economic fate in China's hands."
Those charged with the Equifax hack are Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei. Officials said they were members of the PLA's 54th Research Institute.
According to the indictment, in March 2017, a software firm announced a vulnerability in one of its products, but Equifax did not patch the vulnerability on their online dispute portal, which used that particular software. In the months that followed, the Chinese military hackers exploited that unrepaired software flaw to steal vast quantities of Equifax's files, the indictment charges.
Officials said the hackers also took steps to cover their tracks, routing traffic through 34 servers in 20 countries to hide their location, using encrypted communication channels and wiping logs that might have given away what they were doing.
"American business cannot be complacent about protecting their data," said FBI Deputy Director David Bowdich.
Barr said that while the Justice Department did not normally charge other countries' military or intelligence officers outside of the United States, there were exceptions, and the indiscriminate theft of civilians' personal information "cannot be countenanced."
In the U.S., he said, "we collect information only for legitimate, national security purposes."
None of the four is in custody, and officials acknowledged there is little prospect of them coming to the United States. for trial. But the indictment does serve as a sort-of public shaming, and officials said that if those charged attempt to travel someday, the U.S. could potentially arrest them.
"We can't take them into custody, try them in a court of law, and lock them up - not today, anyway," Bowdich said. "But one day, these criminals will slip up, and when they do, we'll be there."
This article was written by Devlin Barrett and Matt Zapotosky, reporters for The Washington Post.