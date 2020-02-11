WASHINGTON – Four members of the Chinese military have been accused of breaking into the Equifax Credit Reporting Agency’s networks and stealing tens of millions of Americans’ personal information, the Justice Department said on Monday it was targeting consumer data.

The 2017 security breach affected more than 145 million people. The hackers successfully stole names, addresses, social security and driver’s license numbers, and other personal information stored in the corporate databases.

Four members of the People’s Liberation Army, an arm of the Chinese military, are accused of stealing the company’s business secrets, including database designs, police officers said.

The accused hackers exploited a software vulnerability to access Equifax computers and obtain credentials to navigate databases and review records. The indictment also details the hackers’ efforts to cover up their tracks, including deleting log files daily and routing traffic through dozens of servers in nearly 20 countries.

“The scale of the theft was staggering,” Attorney General William Barr said on Monday. “This theft has not only caused significant financial damage to Equifax, but has also affected the privacy of millions of Americans, imposing significant costs and burdens on them because they have had to take measures to protect them from identity theft.”

Equifax, headquartered in Atlanta, maintains an extensive repository of consumer information that is sold to companies that want to verify identities or assess creditworthiness. Overall, the indictment says the company has information about hundreds of millions of Americans in the United States and abroad.

The case is the Justice Department’s recent allegation of Chinese hackers suspected of breaching American company networks. The Trump administration warned of China’s growing political and economic influence and Beijing’s efforts to collect data about Americans and steal scientific research and innovation.

The government has also urged allies not to allow Chinese technology giant Huawei to become part of its 5G radio network because of concerns that the devices could be used for data collection and monitoring.

The accused hackers are based in China and no one is in custody. Still, US officials see criminal charges like the one in this case as a strong deterrent to foreign hackers and as a warning to other countries that US law enforcement agencies are able to locate individual culprits behind hacks.

A spokesman for the Chinese embassy did not immediately send an email on Monday asking for a comment.

The case resembles an accusation by the Obama administration’s Department of Justice in 2014 in which five members of the PLA were accused of hacking into large American companies to steal their trade secrets. The US authorities also suspect China of a massive violation of the Personnel Management Office and interventions in the Marriott hotel chain and Anthem health insurance in 2015.

“This type of attack on American industry has been linked to other illegal Chinese collections of sensitive personal data,” Barr said on Monday, adding “that we have witnessed China’s insatiable appetite for American personal data for years.”

The criminal charges, including a computer fraud conspiracy and industrial espionage conspiracy, have been brought before the Atlanta federal court.

Equifax reached a $ 700 million data breach agreement last year, with the bulk of the funds going to consumers who were affected.

Equifax did not notice for more than six weeks that the intruders had accessed its databases. Hackers have exploited a known vulnerability that Equifax has not addressed.

Once on the network, officials said, the hackers spent weeks investigating. They stole credentials and ultimately downloaded and extracted Equifax data to computers outside of the United States.

According to the indictment, the hackers were given names, dates of birth, and social security numbers for approximately 145 million American victims, as well as credit card numbers and other personal information for approximately 200,000.

According to the Government Accountability Office, the congressional investigative arm, software with a known vulnerability was running on a server that hosted Equifax’s online dispute portal. The hackers jumped through the opening to access databases of consumer personal information.

Equifax representatives told GAO that the company had committed many mistakes, including an outdated list of computer system administrators. When the company released a notice of installing a patch for the vulnerability, the employees responsible for installing the patch never received it.

The Equifax agreement with the U.S. government for $ 700 million provides affected consumers with free credit monitoring and identity recovery services, as well as money for their time or reimbursement for certain services. However, with so many people claiming, authorities said some consumers would receive far less than the allowable amounts due to billing pool ceilings.

,