US federal prosecutors have charged four members of China’s People’s Liberation Army (PLA) over the 2017 Equifax hack, in which some 147 million customers of the credit reporting agency had their personal data stolen.

The US Justice Department said the four individuals – Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei – are part of Chinese state-backed hacking group ATP10.

“In a single breach, the PLA obtained sensitive personally identifiable information [PII] for nearly half of all American citizens,” court indictment files said.

“This is the largest theft of sensitive PII by state-sponsored hackers ever recorded,” said FBI deputy director David Bowdich.

Data stolen included names, social security numbers, birth dates and addresses. Investigations showed that hackers exploited a web server that Equifax failed to patch, despite knowing it to be vulnerable for two months prior.

It is only the second time the Justice Department has indicted Chinese military hackers.

“Today, we hold [the Chinese military] hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us,” said Attorney general William Barr.

Equifax hack: Accused unlikely to face charges

However, independent cybersecurity expert Graham Cluley cast doubt on whether those behind the Equifax hack would ever face justice.

“It’s good that the USA has identified those it believes are responsible for the Equifax breach, but the chances that these men will ever appear in a court to answer the charges are close to zero,” Cluley told Verdict.

“This was one of the most significant data breaches ever, and could impact many millions of individuals for years. All because Equifax failed to update a server with a patch. A patch for a vulnerability they already knew about, but did nothing about.”

The charges are the result of an extensive investigation by law enforcement’s investigation, which involved analysing IP addresses and tracking malware.

Jake Moore, cybersecurity specialist at ESET, said: “Catching cybercriminals is impressive these days but sadly it does not reimburse the company for their losses.

“It does, however, suggest to the criminal world that they will be investigated and if these criminal hackers make a mistake, they will attempt to bring them to justice.

“Charging cybercriminals is not to be taken lightly especially if they are high profile themselves. This, by all means, doesn’t prove they did it, but it is further down the line than most cyberattack investigations get.”

In 2019 Equifax agreed to a $700m settlement following an investigation by the Federal Trade Commission, the Consumer Financial Protection Board (CFPB) and attorney generals in almost every US state.

Up to 15 million UK customers were compromised, which in 2018 resulted in a £500,000 fine from Britain’s data regulator – the maximum at the time.

Verdict has contacted Equifax for comment.


Read more: Equifax fine should be a wake-up call for businesses to step up cybersecurity, experts warn