Four Chinese military officials have been charged with masterminding the devastating Equifax hack of 2017, and stealing sensitive information on 150 million US customers alongside trade secrets.
A US federal grand jury has indicted the four Chinese nationals for conspiring with the Chinese military to steal the personal and financial data of Equifax customers as part of a major hacking operation.
The attack exploited a major vulnerability in software used by the credit rating agency’s online dispute portal, and was notable not for its size but the quality of data the alleged hackers managed to harvest. The data included full names, dates of birth and addresses in addition to drivers’ license numbers, credit card information and social security numbers.
“This was a deliberate and sweeping intrusion into the private information of the American people,” the US Attorney General William Barr said at a press conference, according to the Wall Street Journal.
“We collect information only for legitimate national security purposes; we don’t indiscriminately violate the privacy of ordinary citizens.”
The charges have come in the midst of rising trade and geopolitical tensions between the US and China. The Trump administration, for instance, has not just slapped tariffs on Chinese networking products, but has mulled banning major companies like Huawei and ZTE entirely.
The Equifax Effect: Explaining the biggest security disaster of the 21st century Chinese hackers target maritime military secrets and blitz other global companies Chinese hackers used 'stolen' NSA tools a year before they were leaked by the Shadow Brokers Mitsubishi breached by suspected Chinese hackers
The US also has a brief history of blaming the Chinese hacking into US companies in order to gain a competitive advantage.
Prosecutors with the US Justice Department, for example, charged five Chinese army officials with hacking into private US-based companies in 2014.
The then Attorney General Eric Holder branded the security breaches as “significant” when the charges were filed, with the Chinese military officers having stolen trade secrets and internal documentation from five companies and one trade union.
The frequency of hacking charges issued by the US has risen in recent years, with individuals from Iran, Russian and North Korea also subject to similar indictments by consequence of alleged state-sponsored hacking.
“For years, we have witnessed China’s voracious appetite for the personal data of Americans, including the theft of personnel records from the Office of Personnel Management, the intrusion into Marriott hotels and Anthem health insurance company, and now the wholesale theft of credit and other information from Equifax,” Barr added.
Equifax was fined £500,000 by the UK’s data protection watchdog the Information Commissioner’s Office (ICO) in late 2018 for violating the Data Protection Act 1998.
Application security fallacies and realities
Web application attacks are the most common vulnerability, so what is the truth about application security?
The credit agency narrowly avoided a penalty under GDPR due to the incident having occurred prior to 25 May 2018, although the same cannot be said for Marriott, which was fined £99 million last year for the breach of its systems.
Investigators looking into the attack had pinpointed Chinese authorities as being responsible, which Barr effectively corroborated with his assertions in the wake of charging four Chinese military officials for the Equifax breach.
Although responsibility for the Equifax breach has not been designated until now, the firm’s ex-CIO was sentenced to four months in prison for insider trading in the wake of the disaster. Jun Ying was found guilty in July 2019 of selling $950,000 worth of company shares after learning that Equifax had sustained the breach
