The US government has charged four Chinese military hackers over 2017’s massive Equifax breach in which personal details of nearly 150 million Americans were stolen – This is over 40% of the entire population of the United States.
The stolen data included full names, social security numbers (SSN), addresses, birthdays, driver license numbers, credit card data, and dispute documents with personal identifying information, etc. The breach also affected people in Canada and the United Kingdom.
See: Personal data of millions of Americans exposed from PC in China
However, on Monday 10th February, US Attorney General William Barr announced the indictments and charged four individuals namely Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei, all allegedly members of People’s Liberation Army. It is worth noting that in 2013, China admitted running the cyber warfare unit in the People’s Liberation Army.
According to court documents [PDF], the nine-count indictment alleges that these hackers spent weeks finding and exploiting vulnerabilities in Equifax’s cyberinfrastructure and managed to steal highly sensitive records of US citizens along with other documents including trade secrets.
In September 2017, Baird Equity Research released a report revealing that Equifax breach was the result of a security vulnerability in the Apache Struts framework, an open-source Model-View-Controller (MVC) framework that helps in building Java Web applications. The US government has now confirmed that vulnerability in the Apache Struts framework was indeed used by hackers to hack Equifax.
“This was a deliberate and sweeping intrusion into the private information of the American people. “Today we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us,” said Mr. Barr in a press release.
Although, the US government has charged the hackers it believes are behind the Equifax breach, the nightmare for the company is far from over. Currently, the credit reporting giant is facing billions of dollars worth lawsuits filed by victims of the data breach.
According to Daniel Castro, Vice President of the Information Technology and Innovation Foundation (ITIF), “Today’s indictment shows that the ongoing debate about consumer data privacy has been muddled and misguided from the outset—focusing the blame on corporate victims rather than on the perpetrators of state-directed cyber espionage.”
“Many advocates are calling for data-protection laws that focus too much on expensive, bureaucratically onerous compliance mechanisms in the name of protecting consumers. While the private sector has more work to do to improve its cybersecurity practices, this case underscores that when the adversary is a state-backed military, there is little chance for the average company to be adequately prepared,” Mr. Castro warned.
“Instead of requiring companies to waste money on expensive and not-terribly-effective regulatory compliance, we should focus on building more secure digital infrastructure—such as replacing Social Security numbers with secure electronic IDs—and we should invest more in cybersecurity research and workforce training,” Mr. Castro advised.
He emphasized that “The Justice Department should vigorously investigate the case at hand, and other U.S. allies should help hold China accountable for these kinds of attacks on commercial systems. This warrants a serious response, not just a slap on the wrist.”
See: US Military Bans China-owned TikTok over privacy concerns
This, however, is not the first time when state-sponsored hackers from China have been blamed for carrying out large scale cyber attacks against the United States. In December 2018, Chinese hackers were held responsible for stealing data from US Navy contractors whose content included highly confidential information on advanced military technologies.
In 2018 again, state-sponsored Chinese hackers were accused of breaching the computers belonging to a U.S. Navy contractor and stealing 614 gigabytes of highly sensitive data related to undersea warfare and classified information on future plans regarding the development of supersonic anti-ship missile supposed to be used on U.S. submarines by 2020.