The Department of Justice this morning formally charged four members of the Chinese military with the historic hack of Equifax, one of the largest data breaches in U.S. history. The breach exposed the sensitive financial data of more than 147 million Americans, culminating in a victim compensation effort that wound up being little more than a cruel joke.
In a morning press conference, the DOJ revealed a nine-count indictment against Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei, all members of the People’s Liberation Army's 54th Research Institute, an extension of the Chinese military.
“This was a deliberate and sweeping intrusion into the private information of the American people,” DOJ head William Barr said in a morning press conference. “Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us.”
According to the DOJ, the four stole not only sensitive U.S. consumer financial data, but proprietary Equifax material related to data compilations and database design. All of this data was obtained by first exploiting the Apache Struts Web Framework software used by Equifax’s online dispute portal.
Once they had their entry point, the indictment and DOJ press release outlines how the hackers spent several weeks running more than 9,000 queries to identify Equifax’s database structure and the location of sensitive data. The hackers then created an archive containing 49 directories, which were split into 600 megabyte chunks and offloaded to a Dutch server.
“In short, this was an organized and remarkably brazen criminal heist of sensitive information of nearly half of all Americans, as well as the hard work and intellectual property of an American company, by a unit of the Chinese military,” Barr said.
The four hackers are charged with three counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage, and conspiracy to commit wire fraud—as well as two counts of unauthorized access and intentional damage to a protected computer, one count of economic espionage, and three counts of wire fraud.
“Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information,” Barr said.
But the hack revealed far more than that. It also revealed America’s repeated failure to hold corporations accountable for lax security and a systemic disregard for consumer privacy.
The Equifax scandal was entirely avoidable. Equifax was warned months in advance of the server vulnerability that made the intrusion possible, and the data collected by the company was acquired entirely without consumer consent and with no ability for consumers to opt out.
“The attack on Equifax was an attack on U.S. consumers as well as the United States,” the company said in a statement.
But shifting the blame entirely to China and the broader conversation toward national security risks the country learning nothing from experience, some lawmakers warned.
"There’s no separating privacy and national security," Senator Ron Wyden said in a statement. "When companies like Equifax amass vast stores of sensitive personal information and then cut corners on security, they become irresistible targets for unfriendly regimes like China. Passing strong privacy legislation like my Mind Your Own Business Act is essential for our national security and our individual safety."
“The indictment does not detract from the myriad of vulnerabilities and process deficiencies that we saw in Equifax’s systems and response to the hack,” Senator Mark Warner said in a statement provided to Motherboard. “A company in the business of collecting and retaining massive amounts of Americans’ sensitive personal information must act with the utmost care – and face any consequences that arise from that failure.”
But the lack of any U.S. privacy law for the internet era means serious punishment for lax security is often lacking and victim compensation is routinely a distant afterthought. Like the countless scandals that have preceded it, any financial penalty faced by Equifax paled in comparison to the money made from collecting the data in the first place.
In the wake of the Equifax breach, the FTC announced a new $575 million “record” settlement it promised would bring the 147 million victims of the attack some much needed compensation. In reality, the settlement wound up being little more than a cruel joke that added insult to injury.
The free credit monitoring provided to victims was effectively worthless, and the $125 payouts promised by the agency disappeared as soon as consumers went to collect it. That angered politicians like Senator Ron Wyden, who has been pushing legislation that would give CEOs jail time for failing to adequately protect the vast troves of consumer data they collect.
“With just $31 million to be divided up by all the Americans who filed to receive their $125 check, Americans have the choice of receiving pennies for having their credit details spilled out online, or receiving virtually worthless credit monitoring,” Wyden told Motherboard at the time of the hack. “Another clear failure by the FTC.”
While it’s welcome news that the attackers were identified, shifting the conversation entirely toward national security helps obscure our repeated, domestic failure to both rein in rampant consumer data collection or adequately help victims once that data is inevitably abused.