Four Chinese hackers have been charged for hacking US credit agency Equifax in 2017, compromising the sensitive financial data of around 145 million Americans.
The indictments are against Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke (许可) and Liu Lei (刘磊) and allege that they conspired to steal the data from Equifax while working for an arm of the Chinese military.
When announcing the charges on Monday, US Attorney General, William Barr, said the breach was “of a piece” with other Chinese cyber operations.
“Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information,” Barr said.
“In short, this was an organised and remarkably brazen criminal heist of sensitive information of nearly half of all Americans, as well as the hard work and intellectual property of an American company, by a unit of the Chinese military.”
Wu, Wang, Xu, and Liu allegedly exploited a vulnerability in the Apache Struts Web Framework used by Equifax in order to get credentials that gave them access to the broader network.
The four then ran queries of the credit company’s database, probing it for weaknesses and finding ways to exploit extremely sensitive data including names, dates of birth, and social security numbers.
“This data has economic value and these thefts can feed China’s development of artificial intelligence tools as well as the creation of intelligence targeting packages,” Barr said.
The hackers have been charged with conspiracy to commit computer fraud, economic espionage, and wire fraud, as well as charges relating to unauthorised computer access.
They have not yet been arrested.
Equifax had a class action lawsuit brought against it in the wake of the 2017 breach and agreed to establish a $US380 million “Consumer Restitution Fund”.
People affected by the breach could claim compensation for time spent “remedying fraud, identity theft, or other misuse” of their personal information as a result of the breach.
They also have access to free credit monitoring and identity restoration services.