The US charged four Chinese military hackers for the 2017 breach of the Equifax credit reporting agency affecting 150 million Americans, Attorney General William Barr said.
“This was a deliberate and sweeping intrusion into the private information of the American people,” Barr said when announcing indictment of four Chinese Liberation Army members in connection with one of the largest data breaches in US history.
Chinese foreign ministry spokesman Geng Shuang denied the allegations and said China’s government, military and their personnel “never engage in cyber theft of trade secrets.”
The announcement is the latest in an aggressive campaign by US authorities to root out Chinese espionage operations in the US. Since turning the spotlight on China in 2018, the US has snared a growing group of Chinese government officials, business people and academics pursuing American secrets.
Roughly 147 million people had information, including Social Security numbers, birth dates and driver’s license data, compromised by the Equifax breach.
The hackers spent weeks in the Equifax system, breaking into computer networks, stealing company secrets and personal data. The hackers routed traffic through at least 34 servers in nearly 20 countries to hide their true location.
Equifax Chief Executive Mark Begor said the company was grateful for the Justice Department investigation.
“It is reassuring that our federal law enforcement agencies treat cybercrime – especially state-sponsored crime – with the seriousness it deserves,” he said in a statement.
US officials said Chinese hackers were behind a massive breach at the Office of Personnel Management, which came to light in 2015 and involved compromise of sensitive personal data submitted by applicants for US government security clearances.
That breach exposed the names, Social Security numbers and addresses of more than 22 million current and former US federal employees and contractors, as well as 5.6 million fingerprints.
Chinese hackers are also suspected of being behind a massive breach at hotel group Marriott International Inc.
The Equifax hack fits a pattern of past Chinese cyberattacks, said Michael Daniel, a former White House cybersecurity co-ordinator, because stolen data can support other spying efforts.
“Its primary utility would be in developing potential targets for intelligence operatives or feeding artificial intelligence and machine learning tools,” said Daniel, currently president of the Cyber Threat Alliance, a cybersecurity information sharing group.
Chinese foreign ministry spokesman Geng, when asked about the indictments, said Beijing is a victim of US “cyber intrusion, surveillance and monitoring activities.”
“We lodged stern representations to the US and asked it to make explanations and immediately stop such activities,” he said.
Senator Ben Sasse, Republican member of the Senate Select Committee on Intelligence, urged tougher action to counter Chinese hacking.
“The Chinese Communist Party will leave no stone unturned in its effort to steal and exploit American data. These indictments are good news, but we’ve got to do more to protect American data from Chinese Communist Party influence operations,” he said in a statement.
The Equifax data breach, because it was so large and involved so much sensitive financial information on so many Americans had far-reaching implications for Equifax and the consumer credit industry.
The company agreed to pay up to $700 million to settle claims it broke the law during the data breach and repay harmed consumers.
The scandal sent the company into turmoil, leading to the exit of its then-CEO, Richard Smith, and multiple congressional hearings as the company’s slowness to disclose the breach and security practices were challenged by lawmakers.
Policymakers and consumer groups questioned how private companies could amass so much personal data, sparking efforts to bolster consumers’ ability to control their information. Both the Senate Banking and House of Representatives Financial Services Committees are considering legislation that would require companies to better protect consumer data.