Justice Department announces 4 Chinese military officers indicted in Equifax hack
Officials say some 150 million Americans were affected.
The Justice Department on Monday announced that four Chinese military officers have been indicted with hacking the credit company Equifax in 2017.
The breach compromised the personal information of some 150 million Americans, one of the largest data breaches in history, officials said.
“It came to light in the summer of 2017, when Equifax announced the theft. The scale of the theft was staggering. As alleged in the indictment, the hackers obtained the names, birth dates, and Social Security numbers of nearly 150 million Americans, and the driver’s license numbers of at least 10 million Americans. This theft not only caused significant financial damage to Equifax, but invaded the privacy of many millions of Americans, and imposed substantial costs and burdens on them as they have had to take measures to protect against identity theft,” Attorney General William Barr said at a news conference announcing the charges.
According to an indictment unsealed in the Northern District of Georgia, the hackers, members of China's People's Liberation Army, exploited a vulnerability in the Equifax network, which led to the hack.
Deputy Director or the FBI David Bowdich said that none of the information stolen has been used maliciously.
The four men are also charged with stealing trade secrets of a database the company developed.
The indictment alleges that the hackers exploited a known vulnerability in the Apache Struts software used by Equifax and that vulnerability was not patched prior to the data breach.
According to the indictment, “On or about March 7, 2017, Apache announced a vulnerability in certain versions of Apache Struts software that permitted unauthorized users to access the Apache Struts Web Framework and perform a remote code execution attack on a target web application.
"The United States Computer Emergency Readiness Team issued a threat warning notice about the vulnerability on or about the following day. The vulnerability was not patched on Equifax’s online dispute portal.”
“We are grateful to the Justice Department and the FBI for their tireless efforts in determining that the military arm of China was responsible for the cyberattack on Equifax in 2017," Mark Begor, Chief Executive Officer of Equifax, said in a statement. "It is reassuring that our federal law enforcement agencies treat cybercrime – especially state-sponsored crime – with the seriousness it deserves, and that the Justice Department is committed to pursuing those who target U.S. consumers, businesses and our government. The attack on Equifax was an attack on U.S. consumers as well as the United States," he said.
ABC News' Alexander Mallin and Jack Date contributed to this report.