The U.S. Department of Justice is charging four members of the Chinese military with perpetrating the 2017 Equifax breach, one of the largest hacks ever. More than 145 million people had their personal information stolen, including names, addresses and Social Security numbers, according to Time Magazine.
The crimes cited in the indictment include conspiracy to commit computer fraud, conspiracy to commit economic espionage and conspiracy to commit wire fraud.
"Today, we hold PLA [a branch of the Chinese military] hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet's cloak of anonymity and find the hackers that the nation repeatedly deploys against us," said U.S. Attorney General William Barr.
None of the alleged hackers are currently in U.S. custody, as they are based in China and unlikely to be extradited.
A different effect on consumers
When the Equifax security breach initially occurred, most victims were worried about the hackers stealing their identity for financial purposes. However, with the revelation that the actors involved were from Chinese military intelligence, rather than rogue hackers, the chances are far greater that the breach was a part of a larger espionage scheme.
While the indictment may be a relief for victims, the implications of the breach are still quite large.
Experts are unsure what the Chinese Government may use the stolen Equifax data for. Possibilities include compiling dossiers on American business and political leaders for the purposes of extortion or bribery. In particular, government employees and people working in the tech industry or at a company with a major government contract should be alert, according to MarketWatch. Other "normal" Americans are far less likely to notice an impact.
The new charges are only the latest in a series of security breaches that the U.S. government believes are the work of the Chinese military. In 2014, the Justice Department charged five members of the Chinese military with cyber espionage directed at various American companies in the steel and energy sectors. In both cases, the cyberattacks were carried out by a branch of the Chinese armed forces known as the People's Liberation Army.
A more complex cybersecurity case also emerged in 2015, in which Chinese hackers stole the records of 21.5 million federal employees from databases at the U.S. Office of Personnel Management. The breach was also initially blamed on the Chinese Government, who responded by arresting several of its citizens and holding them responsible. The breach resulted in the CIA's removal of several officers from Beijing, due to concerns about their covers being revealed.
Ultimately, the news of China's responsibility puts the Equifax breach in a larger context, according to experts.
"Cybersecurity capability is now a chilling proxy for political power," Laura DeNardis, a dean at American University's School of Communication, said to MarketWatch.
The Equifax breach occurred in 2017 and rocked the cybersecurity world, as well as the millions of people affected. The breach was perhaps most shocking because the hackers had taken advantage of a publicly known weakness that Equifax had simply not implemented a patch for. According to Equifax, in reports given to Congress during the U.S. Government's investigation of the breach, Equifax had put out a memo on the vulnerability, but it did not reach the employees responsible for implementing a patch.
Equifax did not discover that a breach had occurred for about six weeks, by which time a large amount of information had been downloaded from its databases. The hackers were able to hide their efforts for this extended period by wiping log files daily and rerouting web traffic through servers in almost 20 countries.
In 2019, Equifax reached $700 million settlement with the US government. Victims of the breach can benefit from the settlement by either receiving free identity monitoring, to prevent future theft, or a flat payment of $125. The vast majority of victims have elected to take the flat payment. This trend will probably continue, as basic identity monitoring probably will have little effect on whatever the Chinese government does with victims' information.
So far, the security breach has cost Equifax almost $2 billion, as well as major harm to its reputation, according to the Atlanta Business Chronicle.
The entire Equifax saga makes clear the security limitations of programs that are made with Java. While Java is a key building block for many programs, its common use means that hackers can more easily find and exploit vulnerabilities. Hacker exploits, and associated patches, are constantly being announced for java software. Organizations that don't keep up with the vulnerabilities of their applications, as Equifax didn't, run an enormous risk.