The U.S. Justice Department announced Monday that it has indicted four members of China’s military for the cyberattack against credit ratings agency Equifax in 2017.
The incident led to the loss of personal information belonging to 145 million people, mostly in the U.S. but also in Canada and Europe. A Georgia grand jury returned charges that Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei committed espionage, wire fraud and other computer crimes on behalf of China’s military, according to Justice Department officials Monday.
“This data has economic value and these thefts can feed China’s … creation of intelligence targeting packages,” said Attorney General William Barr at a Monday news conference. He included Equifax alongside other cyberattacks that the Justice Department has attributed to the Chinese government, including the hack of more than 78 million records belonging to health insurer Anthem in 2014.
The investigation included years of painstaking research on just 30 IP addresses and a “handful” of malicious software tools used in the attack, which focused on a single department within Equifax that dealt with resolving credit disputes, said Deputy FBI Director David Bowdich at the news conference.
Bowdich said that the information stolen in the breach still has never been used by those who took it, a mystery that has persisted since the breach and was first reported by CNBC last year.
After the initial breach was announced on September 7, 2017, law enforcement officials and investigators turned their attention to China’s military. This was due in part to the fact that the Equifax data has never been found for sale on underground internet forums that usually involve the trade in this type of data to criminals who may use it to fraudulently obtain credit or tax return funds.
By naming Chinese military officials, the Justice Department is finally confirming which nation’s military they suspect was behind the incident, which ultimately led to enormous upheaval at Equifax. The company’s CEO resigned, as well as its head of cybersecurity, Susan Mauldin, and Chief Information Officer Jun Ying.
Ying would later be sentenced to four months in prison for insider trading on the security incident before it was announced to the public, enabling him to avoid a loss of $117,000.
Bowdich praised Equifax for its cooperation with the investigation, calling the company a “victim” in the incident and emphasizing its transparency with law enforcement during the more than two-year probe. But Equifax has also struggled with its response to the incident. The company announced an approximately $400 million settlement in mid-2019 that would have granted anyone affected by the breach a modest cash settlement of $125.
But the settlement funds were capped at $31 million, and the announcement was quickly followed by a Federal Trade Commission plea for consumers to take a credit monitoring option instead of cash because Equifax would likely run out of money to cover the payments.
Correction: David Bowdich is deputy director of the FBI. An earlier version misspelled his name.