Equifax headquarters, Atlanta. (Photo: John Disney/ALM)Chinese Hackers Indicted in Atlanta Over 2017 Equifax Data Breach
U.S. Attorney William Barr announced Monday that a federal grand jury indicted four members of China's People's Liberation Army for the breach.
February 10, 2020 at 10:56 AM
5 minute read
Four members of the Chinese People's Liberation Army have been charged with the 2017 hack of Atlanta-based credit reporting agency Equifax that compromised the personal and financial data of an estimated 147 million people, U.S. Attorney General William Barr announced Monday.
Barr said all four were members of the 54th Research Institute, a division of the Chinese military.
"We remind the Chinese government that we have the capability to remove the Internet's cloak of anonymity and find the hackers that nation repeatedly deploys against us," Barr said.
Barr said the hack "fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information."
Defendants Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei were indicted by a federal grand jury in Atlanta on multiple counts associated with stealing trade secret information—including conspiracy to commit computer fraud, conspiracy to commit economic espionage and conspiracy to commit wire fraud. They also are charged with two counts of unauthorized access and intentional damage to a protected computer.
The Chinese Embassy in Washington, D.C., did not immediately respond to a request for comment.
According to the indictment, the hackers obtained names, birthdates and Social Security numbers for nearly half the U.S. population, driver's license numbers for at least 10 million people and credit card numbers and other identifying information for approximately 200,000 people.
They also obtained personal identifying information for nearly one million citizens of the United Kingdom and Canada, the indictment alleges.
The defendants were able to use a software vulnerability to gain entry to Equifax's online dispute portal, Barr said.
The indictment said Equifax failed to act on a warning to fix a software exploit in its online dispute portal used by people to research and dispute potential inaccuracies in their credit reports.
Barr said the defendants routed traffic through an estimated 34 servers in 20 countries to evade detection, used encrypted communication channels within Equifax's own network and deleted files daily to eliminate traces of their illicit presence.
The hackers also used Equifax database service credentials to falsely represent they were authorized users of the credit reporting agency network, the indictment said. The hackers ran at least 9,000 queries on Equifax's system, the majority of which were generated through two China-based IP addresses connected directly to Equifax's network, the indictment said. The conspirators then stored stolen information in temporary files, which they downloaded, the indictment said.
Equifax CEO Mark Begor on Monday called the breach "an attack on U.S. consumers as well as the United States."
Begor said cybercrime "is an ongoing battle that every company will continue to face as attackers grow more sophisticated" and will "require the type of open cooperation and partnership between government, law enforcement and private business."
Begor also made note of the credit reporting agency's intent to spend $1.25 billion on enhancing its security and technology, a provision included in Equifax's $1.4 billion class action settlement with consumers whose data was stolen.
In a joint statement Monday, co-counsel for the consumer class plaintiffs—Kenneth Canfield of Atlanta's Doffermyre Shields Canfield & Knowles, Amy Keller of Chicago's DiCello and Norman Siegel of Stueve Siegel Hanson in Kansas City—said the settlement they negotiated "certainly considered that a foreign government was responsible for the breach, which is why we insisted Equifax implement strong measures to prevent future attacks, provided a mechanism for monitoring a decade into the future."
The indictments announced Monday follow earlier convictions of two former Equifax employees in Atlanta associated with the 2017 hack.
Jun Ying, the former chief information officer of Equifax U.S. Information Solutions, was sentenced to four months in prison and fined $55,000 for engaging in insider trading ahead of Equifax's public announcement of the data breach.
Ying exercised all of his vested stock options and sold more than 6,800 shares for nearly $1 million prior to public disclosure of the hack, avoiding more than $117,000 in losses, prosecutors said.
In a separate civil settlement with the U.S. Securities and Exchange Commission, Ying agreed to a $125,636 disgorgement.
In July 2018, Sudhakar Reddy Bonthu—a former software development manager at Equifax—pleaded guilty to violating federal securities laws after he traded his Equifax stock before the data breach was announced. He was sentenced to eight months of home confinement and fined $50,000. In a separate civil settlement with the SEC, Reddy agrees to disgorge $75,167.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Akerman Opens Charlotte Office With Focus on Renewable Energy, Data Center Practices
4 minute read
Woman's Suit Alleging Negligence to Sex Trafficking by Hotel Tossed by Federal Judge
Supreme Court of Georgia Accepts 2 Petitions for Voluntary Discipline With 2-Year Suspension, 1 Voluntary Surrender of License
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
