Earlier this year, four members of the Chinese military were charged in connection to a data breach dating back to 2017, in which 145 million Americans had their personal data stolen.
The charges brought against the hackers accused them of stealing personal, sensitive information regarding US residents after hacking into Equifax’s computer networks and sustaining unauthorised access to the systems. Amongst the information stolen by the hackers was dates of birth, names, and social security numbers. Private information belonging to British and Canadian nationals were also comprised in the attack.
William Barr, the attorney general has said that “This was one of the largest data breaches in history. This was a deliberate and sweeping intrusion into the private information of the American people.”.
The four hackers are reportedly members of the People’s Liberation Army’s (PLA) 54th Research Institute – an element of the Chinese military. The indictment alleged that in order to determine Equifax’s database structure and to locate personally identifiable private information, the hackers spent weeks running queries inside Equifax’s system. According to the Department of Justice, an approximate total of 9,000 queries were run, gathering personal information relating to almost half of all US citizens.
The indictment further alleges that after the hackers had gathered everything they wanted, the stolen information was downloaded to computers located outside of the US. It was reported that the attackers routed their traffic through around 34 severs in almost 20 different countries in an attempt to hide their location.
In the US, Equifax was ordered to pay fines amounting to $700m in July of 2019 for leaving its network vulnerable to a breach after not appropriately rolling out security patches.
Equifax was also ordered to pay the maximum possible (at the time) fine in the UK, of £500m. If the incident had occurred one year later, it was have fallen into the GDPR regulations and Equifax could have been ordered to pay fines of up to €20m (approx. £18m).