WASHINGTON — Four members of the Chinese military have been charged with breaking into the computer networks of the Equifax credit reporting agency and stealing the personal information of tens of millions of Americans, the Justice Department said Monday, blaming Beijing for one of the largest hacks in history to target consumer data.
The hackers in the 2017 breach stole the personal information of roughly 145 million Americans, collecting names, addresses, Social Security and driver’s license numbers and other data stored in the company’s databases. The intrusion damaged the company’s reputation and underscored China’s increasingly aggressive and sophisticated intelligence-gathering methods.
“The scale of the theft was staggering,” Attorney General William Barr said Monday in announcing the indictment. “This theft not only caused significant financial damage to Equifax, but invaded the privacy of many millions of Americans, and imposed substantial costs and burdens on them as they have had to take measures to protect against identity theft.”
The case is the latest U.S. accusation against Chinese hackers suspected of breaching networks of American corporations, including steel manufacturers, a hotel chain and a health insurer. It comes as the Trump administration has warned against what it sees as the growing political and economic influence of China, and efforts by Beijing to collect data for financial and intelligence purposes and to steal research and innovation.
The indictment arrives at a delicate time in relations between Washington and Beijing. Even as President Donald Trump points to a preliminary trade pact with China as evidence of his ability to work with the Communist government, other members of his administration have been warning against cybersecurity and surveillance risks posed by China, especially as the tech giant Huawei seeks to become part of new, high-speed 5G wireless networks across the globe.
Experts and U.S. officials say the Equifax theft is consistent with the Chinese government’s interest in accumulating as much information about Americans as possible.
The data can be used by China to target U.S. government officials and ordinary citizens, including possible spies, and to find weaknesses and vulnerabilities that can be exploited — such as for purposes of blackmail. The FBI has not seen that happen yet in this case, said Deputy Director David Bowdich, though he said it “doesn’t mean it will or will not happen in the future.”
“We have to be able to recognize that as a counterintelligence issue, not a cyber issue,” said Bill Evanina, the U.S. government’s top counterintelligence official.
The four accused hackers are suspected members of the People’s Liberation Army, an arm of the Chinese military that was blamed in 2014 for a series of intrusions into American corporations.
Prosecutors say they exploited a software vulnerability to gain access to Equifax’s computers, obtaining log-in credentials that they used to navigate databases and review records. They also took steps to cover their tracks, the indictment says, wiping log files on a daily basis and routing traffic through dozens of servers in nearly 20 countries.
Besides stealing personal information, the hackers also made off with some of the company’s sensitive trade secrets, including database designs, law enforcement officials said.