A federal grand jury has charged four members of the Chinese People’s Liberation Army with hacking Equifax and stealing personal data and trade secrets in one of the largest hacks on record.
Attorney General William Barr said Monday that the scale of the theft in 2017 was “staggering” and the suspects obtained information for nearly 150 million Americans. The attorney general said the hack was one of the largest on record and was a “deliberate and sweeping intrusion into the private information of the American people.”
Speaking at a news conference in Washington, Barr noted that it’s unusual for the US to charge members of another country’s military or intelligence service outside the US, but said the hack “not only caused significant financial damage to Equifax, but invaded the privacy of many millions of Americans, and imposed substantial costs and burdens on them as they have had to take measures to protect against identity theft.”
“This data has economic value and these thefts can feed China’s development of artificial intelligence tools as well as the creation of intelligence targeting packages,” Barr said.
Equifax first disclosed the hack, the largest in US history, in September 2017, three months after the company discovered the breach. The hack exposed sensitive information, including names, Social Security numbers, driver’s license numbers and addresses.
Hackers leveraged a security flaw in a tool designed to build web applications to steal customer data. Equifax admitted it was aware of the security flaw a full two months before the company says hackers first accessed its data.
The data breach prompted the resignation of CEO Richard Smith and investigations by federal regulators, multiple states attorneys general and the company faces a number of civil lawsuits.
Bill Evanina, the director of the National Counterintelligence and Security Center, told reporters Monday that the Equifax hack reflects the type of “consistent, persistent and unacceptable” activity from China that has been observed over the last year – posing a significant counterintelligence threat to the US.
Foreign adversaries – and China in particular – continue to target the US private sector to steal personal data and trade secrets in a way that reflects the broader need to for a “systemic change” in the way American companies and the public view those threats, Evanina said, adding that attacks like the one on Equifax must be viewed as a counterintelligence issue rather than just a cyber threat.
“Equifax has all of your data and Americans should care about that,” Evanina said.
That data is being used by foreign intelligence services for many purposes, including to enhance their country’s artificial intelligence capabilities – a goal that requires a much information as possible, he warned.
A major concern, according to Evanina, is China’s targeting of Americans, particularly government officials who do not possess a security clearance, by using data of this nature to identify potential vulnerabilities and using that information as leverage for their own purposes.
“Today we saw yet another indictment of the Chinese military for targeting the US private sector, highlighting their long-term effort to undermine US economic competitiveness and our strategic position globally,” said Jamil N. Jaffer, senior vice president for strategy, partnerships & corporate development at IronNet Cybersecurity.
“This intentional data theft is part of a larger Chinese effort to go after US companies, and it is therefore critical that American and allied companies work with one another – and across industries – to collectively defend themselves against this committed threat actor,” said Jaffer, who also previously served as the chief counsel and senior adviser to the Senate Foreign Relations Committee and currently serves as founder and executive director of the National Security Institute at GMU Law School.
This story has been updated to reflect additional information and Barr’s comments.