WASHINGTON -- Four members of the Chinese military have been charged with a 2017 hack at the credit reporting agency Equifax that compromised the personal information of nearly half of all Americans.
In a nine-count indictment filed in federal court in Atlanta, federal prosecutors said the four members of the People's Liberation Army, an arm of the Chinese military, stole information from Equifax's systems in one of the largest consumer-data hacks in history.
Attorney General William Barr called the military members' effort "a deliberate and sweeping intrusion into the private information of the American people."
The 2017 breach gave hackers access to the personal information of roughly 145 million Americans, including names, addresses, Social Security numbers, driver's license numbers and birth dates.
"The scale of the theft was staggering," Barr said Monday in announcing the indictment. "This theft not only caused significant financial damage to Equifax, but invaded the privacy of many millions of Americans and imposed substantial costs and burdens on them as they have had to take measures to protect against identity theft."
Equifax last year agreed to a $700 million settlement with the Federal Trade Commission to compensate victims. Those affected can ask for free credit monitoring or, if they already have such a service, a cash payout. Because so many claims have been made for the cash, the FTC has warned that the payouts will be less than the maximum $125 originally proposed.
Barr said Monday that China has a "voracious appetite" for Americans' personal information. He pointed to other intrusions that he alleged have been carried out by Chinese actors in recent years, including breaches disclosed in 2015 of the health insurer Anthem and the Office of Personnel Management, as well as a 2018 hacking of the Marriott hotel chain.
"This data has economic value, and these thefts can feed China's development of artificial intelligence tools," Barr said. The attorney general said the indictment would hold the Chinese military "accountable for their criminal actions."
The Chinese Embassy in Washington did not respond to a request for comment.
William Evanina, director of the National Counterintelligence and Security Center, characterized the Equifax breach as "a counterintelligence attack on the nation," saying China had long been trying to gather Americans' personal and sensitive data.
The data can be used by China to target U.S. government officials and ordinary citizens, including possible spies, and to find weaknesses and vulnerabilities that can be exploited -- such as for purposes of blackmail. The FBI has not seen that happen yet, said Deputy Director David Bowdich, though he added that "doesn't mean it will or will not happen in the future."
Evanina said his chief concern was that Chinese intelligence agencies could use the stolen data to target those who work at universities or research firms who have access to useful information.
Those charged with the Equifax hack are Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei. Officials said they were members of the People's Liberation Army's 54th Research Institute.
None of the four is in custody, and officials acknowledged that there is little prospect they will come to the United States for trial.
"We can't take them into custody, try them in a court of law, and lock them up -- not today, anyway," Bowdich said. "But one day, these criminals will slip up, and when they do, we'll be there."Gallery: Four Chinese military members charged in Equifax case
The indictment arrives at a delicate time in relations between Washington and Beijing.
Even as President Donald Trump points to a preliminary trade pact with China as evidence of his ability to work with the communist government, other members of his administration have been warning against cybersecurity and surveillance risks posed by China, especially as the tech giant Huawei seeks to become part of new high-speed 5G wireless networks across the globe.
According to the indictment, in March 2017, a software firm announced a vulnerability in one of its products, but Equifax did not patch the vulnerability on its online dispute portal, which used that particular software.
In the months that followed, prosecutors said, the Chinese military hackers exploited that unrepaired software flaw, gaining access to Equifax's computers and obtaining log-in credentials that they used to navigate databases and review records.
The hackers also took steps to cover their tracks, the indictment says. They wiped log files on a daily basis, used encrypted communication channels and routed traffic through 34 servers in nearly 20 countries to hide their location.
Besides stealing personal information, the hackers also made off with some of the company's sensitive trade secrets, including database designs, according to law enforcement officials.
"American business cannot be complacent about protecting their data," Bowdich said.
The case resembles a 2014 indictment by the Barack Obama-era Justice Department that accused five members of the People's Liberation Army of hacking into American corporations to steal trade secrets.
Equifax, based in Atlanta, maintains a repository of consumer information that it sells to businesses looking to verify identities or assess creditworthiness. All told, the indictment says, the company holds information on hundreds of millions of people in America and abroad.
Barr said that while the Justice Department does not normally charge other countries' military or intelligence officers outside the United States, there are exceptions, adding that the indiscriminate theft of civilians' personal information "cannot be countenanced."
In the United States, he said, "we collect information only for legitimate, national security purposes."
Information for this article was contributed by Devlin Barrett, Matt Zapotosky and Ellen Nakashima of The Washington Post; and by Eric Tucker, Michael Balsamo, Nick Jesdanun, Ken Sweet and Frank Bajak of The Associated Press.
A Section on 02/11/2020
Print Headline: Chinese hackers indicted by U.S. in case tied to Equifax breach