U.S. accuses Chinese military hackers in massive Equifax breach over 2 years ago

Four Chinese military hackers have been charged with breaking into the computer networks of the Equifax credit reporting agency and stealing the personal information of tens of millions of Americans, the U.S. Justice Department announced Monday.

The 2017 breach affected 145 million Americans, and hundreds of thousands elsewhere in the world

Attorney General William Barr, right, and FBI Deputy Director David Bowdich, left, announced the charges Monday at a news conference in Washington, D.C. (Jacquelyn Martin/The Associated Press)

Four members of the Chinese military have been charged with breaking into the networks of the Equifax credit reporting agency and stealing the personal information of tens of millions of Americans, the U.S. Justice Department said Monday, blaming Beijing for one of the largest hacks in history.

The 2017 breach affected roughly 145 million Americans, with the hackers successfully stealing names, Social Security numbers and other personal information stored in the company's databases.  

The four — members of the People's Liberation Army (PLA), an arm of the Chinese military — are also accused of stealing the company's trade secrets, law enforcement officials said. They were identified in a news release as Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei.

The case comes as the Trump administration has warned against what it sees as the growing political and economic influence of China, and efforts by Beijing to collect data on Americans and steal scientific research and innovation.

The accused hackers allegedly exploited a software vulnerability to gain access to Equifax's computers, obtaining log-in credentials that they used to navigate databases and review records. The indictment also details efforts the hackers took to cover their tracks, including allegedly wiping log files on a daily basis and routing traffic through dozens of servers in nearly 20 countries.

"The scale of the theft was staggering," Attorney General William Barr said Monday. "This theft not only caused significant financial damage to Equifax, but invaded the privacy of many millions of Americans, and imposed substantial costs and burdens on them as they have had to take measures to protect against identity theft."

Equifax, headquartered in Atlanta, maintains a massive repository of consumer information that it sells to businesses looking to verify identities or assess creditworthiness.

Civil settlement reached in U.S. last year

The case is one of several the U.S. Justice Department has brought over the years against members of the PLA. The Obama administration in 2014 charged five Chinese military hackers with breaking into the networks of major American corporations to siphon trade secrets.

The indictment, which details efforts the hackers took to cover their tracks, includes charges of conspiracy to commit computer fraud, conspiracy to commit economic espionage and conspiracy to commit wire fraud.

The indictment also alleges that the hackers "obtained personally identifiable information belonging to nearly a million citizens of the United Kingdom and Canada." It did not provide a breakdown, but weeks after the breach, Equifax estimated the number of customers affected at around 700,000 in the United Kingdom and nearly 20,000 in Canada.

Equifax's corporate headquarters in Atlanta is shown in a file photo. The company came in for heavy criticism from U.S. politicians and government officials over the hacking scandal, with its CEO fired as a result. (Mike Stewart/The Associated Press)

Equifax was criticized soon after the hack for not acting on earlier warnings of vulnerabilities and not noticing the intrusions for weeks, but on Monday government officials credited the company with aiding the investigation.

Equifax officials told the U.S. Government Accountability Office that the company made many mistakes, including having an outdated list of computer systems administrators. When the company circulated a notice to install a patch for the software vulnerability, the employees responsible for installing the patch never got it.

The company CEO at the time, Richard Smith, was replaced as a result of the failures.

Equifax last year reached a $700 million US settlement over the data breach, with the bulk of the funds intended for consumers affected by it. However, because so many people made claims, officials said some consumers would get far less than the eligible amounts because of caps in the settlement pool.

With files from CBC News and Reuters


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.