The US Department of Justice (DoJ) has charged four members of China's People Liberation Army with the massive May 2017 breach of information-broker Equifax, making it purportedly the largest theft of sensitive personal information attributed to a state-sponsored group to date.
During the breach, hackers used a known vulnerability in the Apache Struts Web framework to compromise Equifax's network and steal the names, addresses, birthdates, Social Security numbers, and other sensitive information on more than 145 million US adults from the company's database. The breach has become the focus of multiple lawsuits, reportedly led to significant identity fraud, and will cost Equifax at least $1.4 billion in settlement and future security expenditures.
With the indictment, the DoJ and FBI continue their efforts to hold other nations accountable for the hacking of US companies, FBI deputy director David Bowdich said during a press briefing on Monday.
"This [hack] is about more than targeting just an American business," he said. "It is about the brazen theft of sensitive personal information of nearly 150 million Americans. This is the largest theft of sensitive PII [personally identifiable information] by state-sponsored hackers ever recorded. This indictment is also a reminder that — with their attacks on our economy, cyber-infrastructure, and our citizens — China is one of the most significant threats to our national security today."
China has had a long history of using cyber espionage to steal intellectual property from US companies. More than a decade ago, Chinese operatives, later dubbed Elderwood and APT1, infiltrated Google and dozens of other companies china military behind equifax breach
