On Monday, the U.S. Department of Justice announced the indictment of four members of China’s People’s Liberation Army (PLA) for their involvement in the 2017 breach of U.S. credit-reporting agency Equifax. According to U.S. Attorney General William P. Barr, the four PLA members were charged with “breaking into the computer systems of the credit-reporting agency Equifax, and for stealing the sensitive personal information of nearly half of all American citizens, and also Equifax’s hard-earned intellectual property.”
The four PLA members named by Barr are Wang Qian, Wu Zhiyong, Xu Ke, and Liu Lei. Barr said that they “conspired” to breach Equifax as an act of economic espionage. Equifax is one of the major American credit-reporting agencies, along with TransUnion and Experian. These agencies track a large amount of consumer financial information on tens of millions of U.S. persons. Data collected by these agencies is used by American financial institutions to make lending decisions, among other applications. None of these agencies are government-owned in the United States.
“The hackers obtained the names, birth dates, and social security numbers of nearly 150 million Americans, and the driver’s license numbers of at least 10 million Americans,” Barr said, describing the damage from the Equifax breach. “This theft not only caused significant financial damage to Equifax, but invaded the privacy of many millions of Americans, and imposed substantial costs and burdens on them as they have had to take measures to protect against identity theft,” he continued.
Barr’s announcement described the process by which the PLA individuals were alleged to have carried out the breach. The hackers used a vulnerability that was found in Equifax’s dispute resolution website, Barr said. “Once in the network, the hackers spent weeks conducting reconnaissance, uploading malicious software, and stealing login credentials, all to set the stage to steal vast amounts of data from Equifax’s systems.”
“While doing this, the hackers also stole Equifax’s trade secrets, embodied by the compiled data and complex database designs used to store the personal information,” Barr added, indicating that economic espionage was a major concern in this breach.
In the aftermath of the breach, the U.S. Federal Trade Commission filed a complaint against Equifax for implementing lax security measures. The FTC argued that Equifax had “failed to implement reasonable procedures to detect, respond to, and timely correct critical and other high-risk security vulnerabilities across [its] systems.”
As an example, the FTC said that Equifax had stored “numerous administrative credentials with access to sensitive personal information in plain text” and that it had “copied sensitive personal information, including SSNs, to numerous systems for development and testing purposes, which were accessible by employees and contractors without any business need.” A report from the U.S. House of Representatives Committee on Oversight and Reform described the breach as “entirely preventable.”
The 2017 Equifax breach represents one of the largest data breaches in history. Beyond economic espionage concerns, the data procured by the PLA over the course of the breach might be cross-referenced and integrated with data from other sources on American citizens of interest. For instance, in 2015, the U.S. federal government’s Office of Personnel Management, the body that handles, among other things, paperwork for security clearances, was breached. U.S. officials told reporters that the source of the breach was thought to have been China.
In the case of the OPM breach, the United States did not formally charge any members of the PLA or China’s Ministry of State Security, the country’s primary internal and external intelligence and counter-intelligence agency. Former U.S. National Security Agency Director Michael Hayden hinted at why this may have been the case: Hayden described the OPM breach as “legitimate state espionage, one government going after another for information that could contribute to its national security.” Speaking in 2015, he added, “As director of the National Security Agency, given the opportunity against similar Chinese information, I would not have hesitated for a second and I wouldn’t have had to get anyone’s permission to do it.”
Barr clarified the reason charges were brought against the four PLA individuals in the Equifax case. While saying that “traditional military and intelligence activity is a separate sphere of conduct that ought not be subject to domestic criminal law,” Barr added that there were exceptions — including election interference, large-scale economic espionage, and undercover intelligence officers operating in the United States — and the Equifax breach was one. “The deliberate, indiscriminate theft of vast amounts of sensitive personal data of civilians, as occurred here, cannot be countenanced,” Barr noted.