Federal prosecutors alleged in the nine-count indictment that the four defendants hacked Equifax’s systems and stole company trade secrets as well as the consumer data. The indictment was filed in federal court in Atlanta, in which Equifax is headquartered.
In March 2017, Apache and the United States Computer Emergency Readiness Team “announced a vulnerability in certain versions of Apache Struts software that permitted unauthorized users to access the Apache Struts Web Framework and perform a remote code execution attack on a target web application,” the indictment states. “The vulnerability was not patched on Equifax’s online dispute portal.”
It’s not clear exactly when the hackers gained access to Equifax’s systems, but they did so “at least by or on about May 13th,” according to the indictment. They allegedly spent at least two months running around 9,000 queries on Equifax’s systems to obtain personal data on nearly half of all Americans. Prosecutors also say the hackers stole database designs and data compilations, which are deemed to be trade secret information.
The defendants allegedly tried to cover their tracks by rerouting traffic through dozens of servers in almost 20 countries and using encrypted communication systems in Equifax’s network to make their activity seem normal. They also cleaned out log files every day, according to the indictment.
Prosecutors charged the defendants — Wu Zhiyong, Wang Qian, Xu Ke and and Liu Lei — with conspiracy to commit computer fraud (three counts), conspiracy to commit economic espionage and conspiracy to commit wire fraud. The indictment also includes a charge of economic espionage, three counts of wire fraud and two counts of unauthorized access and intentional damage to a protected computer.
“This was a deliberate and sweeping intrusion into the private information of the American people,” said Attorney General William Barr in a statement. “Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us.”
Last year, Equifax agreed with the Federal Trade Commission a settlement worth up to $700 million in total. People who were affected by the breach can request credit monitoring or a cash payout. There were suggestions they’d receive up to $125, which might not come close to covering the potential damage they might have suffered if someone exploited their data. But the victims probably won’t get anything close to that, because of a large number of claimants for a payout pot of just $31 million.