The Justice Department has charged four members of the Chinese Public Liberation Army with responsibility for what it says is the largest theft of personally identifiable information—and trade secrets—by a state-sponsored actor, following a two-year investigation into the monumental data breach of credit reporting agency Equifax.
“This was a deliberate and sweeping intrusion into the private information of the American people,” said Attorney General William Barr, releasing the indictment. “Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us.
In September 2017, Equifax announced the unauthorized exposure of the data of 147 million Americans—including dates of birth, Social Security numbers, physical addresses and drivers licenses.
Justice officials making the announcement of the charges today noted they are limited in the actions that can be taken against the individuals—Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei, who allegedly perpetrated the attack.
“We can’t put them in jail,” for example, FBI Deputy Director David Bodich said in the press briefing.
But administration officials have pointed to similar allegations in pushing for the removal of Chinese companies such as telecommunications equipment maker Huawei from the country’s critical infrastructure.
“Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information,” Barr said, noting activities of the group known as APT 10 and data exfiltration incidents at U.S. Office of Personnel Management, Marriott hotels and health insurance company Anthem.
The inclusion of intellectual property theft in the charges is notable in relation to an agreement reached in 2015 by Presidents Obama and Xi Jinping, which differentiates between military espionage and economic espionage and put the latter off-limits.
Justice officials said the PLA officers stole Equifax’s data compilations and database designs, trade secrets that were “the product of decades of investment and hard work by the company,” according to Barr.
“We do not normally bring criminal charges against the members of another country’s military or intelligence services outside the United States,” Barr said, noting exceptions for interfering with the private sector or democratic elections. “In general, traditional military and intelligence activity is a separate sphere of conduct that ought not be subject to domestic criminal law.”
Bowdich noted today’s indictment is only the second in history against Chinese military personnel. In 2014, the Justice Department charged five military hackers in connection with economic espionage within the nuclear power, metals and solar power industries.
Barr added Americans’ personal data can “feed China’s development of artificial intelligence tools as well as the creation of intelligence targeting packages.”
Responding to reporters’ questions about the implications of the data breach for national security, Bowdich said the PII can be monetized or used to target U.S. officials, but that there was no evidence of this so far.
Bowdich said the department reviewed “tons of forensic data” leading up to the attribution, including analyzing malware and examining logs to establish a digital footprint.
Justice officials acknowledged 20 other countries for assisting in the investigation and repeatedly thanked Equifax for its cooperation.
“I cannot overstate the importance of the involvement of the victim company,” Bowdich said.
Asked whether the breach could have been prevented if Equifax had patched a known vulnerability discovered on its network in March 2017—months before the company says it realized attackers were in the system—Bowdich declined to comment beyond referring to “civil remedies.”
In January, the Federal Trade Commission announced $425 million would be available to help those affected by the breach from a settlement between Equifax and the FTC, along with the Consumer Financial Protection Bureau and 50 U.S. states and territories.
Lawmakers reacting to the Justice Department announcement welcomed the indictment of the Chinese military officers but did not let Equifax off the hook.
“The indictment does not detract from the myriad of vulnerabilities and process deficiencies that we saw in Equifax’s systems and response to the hack,” said Sen. Mark Warner, D-Va., co-chair of the Senate Cybersecurity Caucus, promoting legislation he proposed with Sen. Elizabeth Warren, D-Mass., which he said would “subject data brokers to a higher standard of care.”
“A company in the business of collecting and retaining massive amounts of Americans’ sensitive personal information must act with the utmost care – and face any consequences that arise from that failure,” Warner said.