US charges four Chinese over Equifax hack
Written by Peter Walker
The United States has charged four Chinese military hackers over the 2017 Equifax data breach.
A federal grand jury in Atlanta returned a nine-count indictment against Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei - all members of the Chinese People's Liberation Army's 54th Research Institute.
The indictment explained that the defendants exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal.
Roughly 147 million US citizens had information - including Social Security numbers and driver’s license data - compromised by the hack on Equifax. The hackers spent weeks in the credit reporting agency’s system, routing traffic through approximately 34 servers in nearly 20 countries to obfuscate their true location.
Attorney general William Barr called it one of the largest data breaches in history, commenting: “We hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us.
"Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information."
In September 2018, Equifax was fined £500,000 by the Information Commissioner’s Office, after the data of 15 million Britons was left exposed by the cyber attack.
Then last summer, Equifax agreed to pay up to $700 million to settle with the Federal Trade Commission - the largest ever payout to settle a data breach case.
Tim Mackey, senior principal consultant at the Synopsys' Cybersecurity Research Centre, said that while it was heartening to learn the FBI has identified those responsible for the Equifax breach, the news doesn’t address the public concerns over their personal data being used in a future attack.
"That’s because the attackers define the rules in a cyber attack, not the defenders - when a nation state is responsible, their motives are even more obscure which raises a related question – was Equifax the target or a target of opportunity?"
He continued: "While it might be tempting to hope that Equifax was the sole target of these attackers, the reality is likely quite different - attackers of all stripes are continuously looking for insecure systems to compromise."