Four members of the Chinese military have been charged with breaking into the networks of the Equifax credit reporting agency and stealing the personal information of tens of millions of Americans, the Justice Department said Monday, blaming Beijing for one of the largest hacks in history to target consumer data.
The 2017 breach affected more than 145 million people, with the hackers successfully stealing names, addresses, Social Security and driver’s license numbers and other personal information stored in the company’s databases.
The four — members of the People’s Liberation Army, an arm of the Chinese military — are also accused of stealing the company’s trade secrets, including database designs, law enforcement officials said.
The accused hackers exploited a software vulnerability to gain access to Equifax’s computers, obtaining log-in credentials that they used to navigate databases and review records. The indictment also details efforts the hackers took to cover their tracks, including wiping log files on a daily basis and routing traffic through dozens of servers in nearly 20 countries.
“The scale of the theft was staggering,” Attorney General William Barr said Monday. “This theft not only caused significant financial damage to Equifax, but invaded the privacy of many millions of Americans, and imposed substantial costs and burdens on them as they have had to take measures to protect against identity theft.”
Equifax, headquartered in Atlanta, maintains a massive repository of consumer information that it sells to businesses looking to verify identities or assess creditworthiness. All told, the indictment says, the company holds information on hundreds of millions of Americans in the U.S. and abroad,
The case is the latest Justice Department accusation against Chinese hackers suspected of breaching networks of American corporations. It comes as the Trump administration has warned against what it sees as the growing political and economic influence of China, and efforts by Beijing to collect data on Americans and steal scientific research and innovation.
The administration has also been pressing allies not to allow Chinese tech giant Huawei to be part of their 5G wireless networks due to concerns that the equipment could be used to collect data and for surveillance.
The accused hackers are based in China and none is in custody. But U.S. officials nonetheless view criminal charges like the ones brought in this case as a powerful deterrent to foreign hackers and a warning to other countries that American law enforcement has the capability to pinpoint individual culprits behind hacks.
A spokesperson for the Chinese embassy did not immediately return an email seeking comment Monday.
The case resembles a 2014 indictment from the Obama administration Justice Department that accused five members of the PLA of hacking into major American corporations to steal their trade secrets. U.S. authorities also suspect China in the massive 2015 breach of the Office of Personnel Management and of intrusions into the Marriott hotel chain and Anthem health insurance company.
“This kind of attack on American industry is of a piece with other Chinese illegal acquisitions of sensitive personal data,” Barr said of Monday’s announcement, adding that “for years we have witnessed China’s voracious appetite for the personal data of Americans.”
The criminal charges — which include conspiracy to commit computer fraud and conspiracy to commit economic espionage — were filed in federal court in Atlanta.
Equifax last year reached a $700 million settlement over the data breach, with the bulk of the funds intended for consumers affected by it.
Equifax didn’t notice the intruders targeting its databases for more than six weeks. Hackers exploited a known security vulnerability that Equifax hadn’t fixed.
Once inside the network, officials said, the hackers spent weeks conducting reconnaissance. They stole login credentials and ultimately downloaded and extractedate data from Equifax to computers outside the United States.
The indictment says the hackers obtained names, birth dates, and Social Security numbers for about 145 million American victims, along with credit card numbers and other personal information for about 200,000.
According to the Government Accountability Office, the investigative arm of Congress, a server hosting Equifax’s online dispute portal was running software with a known weak spot. The hackers jumped through the opening to reach databases containing consumers’ personal information.
Equifax officials told GAO the company made many mistakes, including having an outdated list of computer systems administrators. When the company circulated a notice to install a patch for the software vulnerability, the employees responsible for installing the patch never got it.
Equifax’s $700 million settlement with the U.S. government gives affected consumers free credit-monitoring and identity-restoration services, plus money for their time or reimbursement for certain services. However, because so many people made claims, officials said some consumers would get far less than the eligible amounts because of caps in the settlement pool.
The Associated Press contributed to this article