The U.S. Department of Justice pressed charges against four Chinese nationals for hacking the Atlanta-based credit reporting agency Equifax in 2017. The four hackers, identified as Liu Lei, Wang Qian, Wu Zhiyong, and Xu Ke, are believed to be members of the People Liberation Army (PLA) of China.
The grand jury in Atlanta released a nine-count indictment against PLA operatives with wire fraud, economic espionage, conspiracy to commit computer fraud, and other offenses. Speaking at a press conference, U.S. General Attorney William Barr said the four hackers stole not only data of U.S. citizens, but also Equifax’s proprietary data. “For years we have witnessed China’s voracious appetite for the personal data of Americans. This data has economic value, and these thefts can feed China’s development of artificial intelligence tools as well as the creation of intelligence targeting packages,” Barr added.
Breach Overview
On September 7, 2017, Equifax disclosed that its databases were breached between May and June 2017, and hackers gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers, credit card numbers, and driver’s license numbers. Equifax discovered the breach on July 29, 2017. It waited until after the close of trading nearly six weeks later to disclose the breach to consumers and Equifax’s investors, after hackers exfiltrated data for 76 days.
Penalties Against Equifax
In 2018, Equifax was fined for £500,000 (US$660,000) by the Information Commissioner Office (ICO) for failing to protect the personal and financial data of 15 million customers in the 2017 data breach. The ICO, which carried out the investigation, stated that Equifax was warned about vulnerabilities in its systems by the U.S. Department of Homeland Security in March 2017. However, Equifax failed to take proper steps to fix the vulnerabilities. Later in July 2019, the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau fined Equifax for US$ 650 million.
Recently, in January 2020, Equifax agreed to pay US$380.5 million to settle a class-action lawsuit, brought forward by the FTC. As per the settlement, Equifax will pay US$380.5 million as a penalty from where the class action members can withdraw up to US$20,000 as compensation. Additionally, the company may also require to spend US$125 million for out-of-pocket claims. Class action members will also receive 10 years of free credit monitoring services from Equifax.
