X

China denies Equifax hack after Justice Department charged four military hackers

The Equifax breach affected more than half of the US population.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
4 min read
gettyimages-863815348

The Justice Department is charging four Chinese nationals for allegedly hacking Equifax.

Photo by Jaap Arriens/NurPhoto via Getty Images

The US Justice Department on Monday charged four members of China's People's Liberation Army in connection with the Equifax hack, one of the largest data breaches in US history

The four alleged Chinese military hackers are listed as Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei, according to the indictment. They are charged with computer fraud, economic espionage and wire fraud. 

"This is the largest theft of sensitive [personally identifiable information] by state-sponsored hackers ever recorded," FBI deputy director David Bowdich said at a press conference on Monday. 

The Chinese embassy denied that its government was behind the Equifax hack, and called out the US government for its history of hacking other nations for espionage, including China. 

"The Chinese government, military and relevant personnel never engage in cyber theft of trade secrets," China's foreign ministry spokesperson Geng Shuang said on Tuesday. "It has long been an open secret that the US government and relevant departments, in violation of international law and basic norms governing international relations, have been engaging in large-scale, organized and indiscriminate cyber stealing, spying and surveillance activities on foreign governments, enterprises and individuals."

screen-shot-2020-02-10-at-10-18-15-am.png

The four alleged hackers behind the Equifax hack.

FBI

This is only the second time the Justice Department has indicted Chinese military hackers, Bowdich said. The first time was in 2018, when the US charged Chinese hackers with theft from NASA and the technology sector.

In a statement, Equifax CEO Mark Begor thanked the Justice Department for its investigation and said it's increasingly difficult to protect companies from hacks by "well-financed nation-state actors that operate outside the rule of law." 

"It is reassuring that our federal law enforcement agencies treat cybercrime -- especially state-sponsored crime -- with the seriousness it deserves, and that the Justice Department is committed to pursuing those who target U.S. consumers, businesses and our government," Begor said. "The attack on Equifax was an attack on U.S. consumers as well as the United States."

The 2017 cyberattack on Equifax affected 147.7 million Americans, and the hackers got access to names, Social Security numbers, birthdates and addresses. In July 2019, the credit-monitoring agency settled with the Federal Trade Commission to pay at least $575 million over its security failures.  

"This data has economic value and these thefts can feed China's development of artificial intelligence tools as well as the creation of intelligence-targeting packages," Attorney General William Barr said.

At the time the hack was revealed, Equifax's then-CEO Rick Smith blamed a months-old server flaw that the company failed to patch. 

According to the indictment, the four hackers took advantage of the unpatched vulnerability and infiltrated Equifax's servers on July 30, 2017. The company blamed the security failure on a single employee, despite the fact that the vulnerability had been known about for at least two months. 

A congressional committee said in a 2018 report that the hack was "entirely preventable."

On Monday, Sen. Mark Warner, a Democrat from Virginia, echoed that point. 

"The indictment does not detract from the myriad of vulnerabilities and process deficiencies that we saw in Equifax's systems and response to the hack," Warner said in a statement. "A company in the business of collecting and retaining massive amounts of Americans' sensitive personal information must act with the utmost care -- and face any consequences that arise from that failure."

Sen. Ron Wyden, a Democrat from Oregon, also challenged the company over its security shortcomings.

"There's no separating privacy and national security," Wyden said in a statement. "When companies like Equifax amass vast stores of sensitive personal information and then cut corners on security, they become irresistible targets for unfriendly regimes like China." 

Equifax has completely overhauled its security practices since the breach and invested $1.25 billion in security improvements, according to Jamil Farshchi, the company's chief information security officer. 

The Equifax security chief noted that the company continues to fend off attempted cyberattacks every day, and expects hacks to escalate in the future. He said that given how dedicated the Chinese military hackers were, a breach could still have happened even if the vulnerability had been patched.

"They're extraordinarily sophisticated," Farshchi said in an interview. "I would say that it's possible." 

Once the hackers had access to Equifax's networks, they allegedly stole login credentials and sensitive personally identifiable information on Equifax's databases, as well as trade secrets, according to court documents. Prosecutors said the Chinese military hackers attempted to cover their tracks by using about 34 servers located in nearly 20 countries, including hosting services outside of China. 

Court documents charged that the alleged hackers also used encrypted communications within Equifax's network to blend in with the company's normal activities. 

Barr said the Justice Department normally doesn't bring charges against military officers of another country, but noted that there were exceptions, as in Equifax's case. 

"Equifax's cooperation throughout the investigation was critical to our development throughout this case," Barr said.

You can read the indictment here:

Originally published Feb. 10, 7:10 a.m. PT.
Update, 7:23 a.m. PT: Includes more details on the alleged hackers.
Update, 7:34 a.m. PT: Adds details from the indictment.  
Update, 8:18 a.m. PT: Includes statement from Equifax. 
Update, 9:03 a.m. PT: Adds statement from Sen. Warner.
Update, 10:32 a.m. PT: Adds statements from Sen. Wyden and Equifax CISO Jamil Farshchi.
Update, Feb. 11, 6:28 a.m. PT: Adds response from Chinese government. 

Watch this: Equifax breach: Find out if you can claim part of the $700 million