11 Feb 2020

US charges Chinese military hackers in 2017 Equifax breach

6:53 am on 11 February 2020

The United States has charged four Chinese military hackers for the breach of the Equifax credit reporting agency in 2017 that affected nearly 150 million American citizens, Attorney General William Barr said.

Attorney General William Barr. Barr announced the indictment of four members of China's military on charges of hacking into Equifax Inc. and stealing data from millions of Americans. 11 Feb 2020

Attorney General William Barr in front of the wanted poster of the four accused Chinese military hackers. Photo: AFP / Getty

"This was a deliberate and sweeping intrusion into the private information of the American people," Barr said about one of the largest data breaches in US history. The indictment charges four members of the Chinese Liberation Army.

The Chinese Embassy in Washington did not immediately respond to a request for comment.

The announcement is the latest in an aggressive campaign by American authorities to root out Chinese espionage operations in the United States. Since turning the spotlight on China in 2018, the US has snared a growing group of Chinese government officials, business people, and academics pursuing American secrets.

Roughly 147 million people had information, including Social Security numbers and driver's license data, compromised by the Equifax breach.

The hackers spent weeks in the Equifax system, breaking into computer networks, stealing company secrets and personal data. The hackers ran approximately 9000 queries on Equifax's system, taking names, birth dates and social security numbers for nearly half of all American citizens.

They routed traffic through approximately 34 servers located in nearly 20 countries to obfuscate their true location.

The data breach, because it was so large and involved so much sensitive financial information on so many Americans, had far-reaching implications for Equifax and the consumer credit industry.

Equifax did not immediately respond to a request for comment.

The company agreed to pay up to $US700 million to settle claims it broke the law during the data breach and to repay harmed consumers.

The scandal sent the company into turmoil, leading to the exit of its then-chief executive, Richard Smith, and multiple congressional hearings as the company's slowness to disclose the breach and security practices were challenged by lawmakers.

Policymakers and consumer groups have questioned how private companies could amass so much personal data, sparking efforts to bolster consumers' ability to control their information.

Both the Senate Banking and House of Representatives Financial Services Committees are considering legislation that would require companies to better protect consumer data.