DoJ indictment: Equifax hack "an organized and remarkably brazen criminal heist" by China's military

The Department of Justice reminded us today that not all viruses from China are biological. Attorney General William Barr unveiled a federal indictment against four members of the People’s Liberation Army for hacking Equifax in 2017. The theft of information was the largest so far, but it’s just one in a series of such thefts by China over the last decade.

Barr led off with his thoughts in support of two murdered NYPD officers, and then read his announcement about the indictment. Were they after the data, or after Equifax’s intellectual property? Probably both:

The Department of Justice unveiled charges against four members of China’s military for allegedly hacking into the credit agency Equifax and stealing the personal information of millions of Americans in 2017.

“This was one of the largest data breaches in history,” Attorney General William Barr said at a press conference on Monday. “The scale of the theft was staggering. As alleged in the indictment, the hackers obtained the names, birth dates and Social Security numbers of nearly 145 million Americans, and the drivers licenses of at least 10 million Americans.”

The four charged are Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei, all of whom are members of the 54th Research Institute, a component of China’s People’s Liberation Army, prosecutors said. A federal grand jury in Atlanta returned the nine-count indictment on charges of computer fraud, economic espionage and wire fraud.

Barr mentions the hack of the Office of Personnel Management (OPM) in 2014, which continued without detection for over a year and gave China access to sensitive government personnel records going back to 1985. China was also behind commercial attacks on Marriott and Anthem Insurance, Barr alleges in this presser, as well as other hacks of US government systems. China has been a bad actor for a long while on several fronts, and it has taken a long while for the US government to provide a robust response.

This might be mostly welcome news for Equifax, which has been buried in legal ramifications from the hack. The settlement got reduced to $31 million, but the company is still struggling with the financial implications and the loss of confidence in its systems. Barr called Equifax a victim in the hack, but the indictment doesn’t let them completely off the hook:

How did the DoJ finger China for this hack? Oddly enough, one reason was that no one was exploiting the data:

Bowditch said that the information stolen in the breach still has never been used by those who stole it, a mystery that has persisted since the breach and was first reported by CNBC last year.

After the initial breach was announced on September 7, 2017, law enforcement officials and investigators turned their attention to China’s military. This was due in part to the fact that the Equifax data has never been found for sale on underground internet forums that usually involve the trade in this type of data to criminals who may use it to fraudulently obtain credit or tax return funds.

By naming Chinese military officials, the Justice Department is finally confirming which nation’s military they suspect was behind the incident, which ultimately led to enormous upheaval at Equifax. The company’s CEO resigned, as well as its head of cybersecurity, Susan Mauldin, and chief information officer Jun Ying.

Ying would later be sentenced to four months in prison for insider trading on the security incident before it was announced to the public, to profit from the information by $117,000.

An indictment isn’t a bad start, but it’s still pretty weak in terms of actual impact. China won’t extradite the suspects under any circumstances, not least of which is because they were implementing Beijing’s policy. This does give the Trump administration more ammunition to pursue its actual hard-line strategy in the trade war, which is punishing China far more than it is hurting the US at the moment. The tariff fight may not have been all that popular before now, but 143 million Americans impacted by the Equifax hack might decide that Trump should impose even more trade penalties on China for stealing their own personal data.

This means all eyes will turn to the White House, and to their Phase 2 efforts on a trade deal. After the coronavirus and a pork plague that has Beijing reeling, they will desperately need economic stability to keep people from rising up against the established order. This is a very good time to start demanding curbs on hacking and other intellectual property theft and for stiff penalties when either occur. Donald Trump has been issuing mainly friendly signals since the Phase 1 agreement went into effect, but this is precisely the kind of narrative he’s used to drive his trade war since getting elected.