Justice Department Charges Chinese Nationals With Equifax Data Breach

Consumer Reports has no financial relationship with advertisers on this site.

The U.S. Department of Justice filed an indictment against four Chinese nationals with alleged ties to the Chinese military, charging them with compromising the personal information of 145 million Americans in the 2017 Equifax data breach.

The nine-count indictment claims Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei were members of the People's Liberation Army’s 54^th Research Institute, and they routed files through approximately 34 servers in almost 20 countries to avoid detection. 

"This was an organized and remarkably brazen criminal heist of sensitive information of nearly half of all Americans," said Attorney General William Barr at a press conference to announce the indictment. 

According to FBI deputy director David Bowdich, who also attended the DOJ press conference, there's currently no evidence that China sold or shared the Equifax data.

"If you can get personally identifiable information, you can do a lot with it," he added. "It can be monetized. It can be used for targeting packages for U.S. government personnel. But we haven't seen that in this case to this point."

Security expert Brian Vecci of Varonis says China's intended target is more likely high-level political operatives than U.S. citizens. "The fact that we haven't seen China sell this information on the Dark Web says to me that whatever they're using it for is more valuable to them," he explains.

Still, the news underscores the need for consumers to be mindful about whom they share data with and how that data is secured. While there's no need for panic, said Bowdich, Equifax breach victims should continue to monitor their credit scores, contact credit card companies if they discover a problem, avoid opening unknown email attachments, and use two-factor authentication to beef up password access to banking, healthcare, and social media accounts. (For more tips from cybersecurity experts, see below.)

"We should be demanding better privacy protections like Europe has with the GDPR [General Data Privacy Regulation] and California has with the CCPA [California Consumer Privacy Act]," says Vecci. "If this makes people demand better privacy controls, we’ll be better off."

Is Equifax Blameless?

Though the DOJ praised Equifax for its cooperation, Vecci argues that the company deserves some blame for its lax security practices.

"Equifax stored a huge amount of private data, and if they had even common sense controls in place to protect private information, this particular attack wouldn't have happened," he explains.

A Congressional report released in December called the Equifax breach “entirely preventable," concluding that the financial reporting company failed to properly fix a software vulnerability it had been warned about in early March 2017. A subsequent failure to implement routine security updates prevented Equifax from discovering the breach until the Chinese hackers had access to the system for 76 days between mid-May and late July. The public wasn't informed of the breach until September.

In the DOJ press conference, Barr noted that the Chinese state-level hackers had been implicated—although not indicted—in the 2015 breach of healthcare giant Anthem, which affected 78.8 million individuals, and the 2018 breach of Marriott, which exposed the data, including passport and credit card information, of up to 500 million individuals.

"This makes it clear that China has been engaged in a decade-long effort against U.S companies and individuals," says Jamil Jaffer, senior vice president for strategy at IronNet Cybersecurity and a former chief counsel for the Senate Foreign Relations Committee.

According to Vecci, if China was indeed behind the Marriott and Anthem hacks, the Equifax data set becomes more valuable, because it can be aggregated with this other data and analyzed using machine learning.

"Once you have three of these data sets and you start combining them–hotel behavior from Marriott combined with financial information from Equifax combined with healthcare information from Anthem–suddenly you know way more about an individual," Vecci explains. "I don't think China's going to use this to steal a random consumer's identity, but I'm sure they have people of interest."

The Equifax breach, of one of the largest credit monitoring firms, was first reported in September 2017. As part of a $700 million settlement with the Federal Trade Commission, the company has offered affected consumers at least four years of free monitoring from the three major credit rating agencies through Experian and up to six more years of free, one-bureau credit monitoring through Equifax in addition to cash reimbursement for losses and expenses, with individual claims capped at $20,000, although most will be far less. The deadline to apply for these funds passed on Jan. 22, 2020.

How to Protect Yourself

Here are some steps you can take to protect yourself from cybercrime and identity theft.

Freeze your credit. That makes it harder for cybercriminals to apply for loans, credit cards, and wireless phones using your personal information.

Guard your financial information. Be wary of texts or email asking for account numbers, credit card numbers, and wire transfers, as well as alerts about failed transactions. There’s no reason to share such info via message or an unsecure site.

Don’t open attachments. They may contain malware. And you should never type confidential information into a form attached to an email. The sender can potentially track the info you enter.

Double-check the link. Before you click on a link in an email or on the internet, try hovering your mouse over it. This will reveal the full address, which can expose signs of fraud. A “.ru” on the end, for example, means the site was created in Russia; “.br” means Brazil.

Misspellings are another good tip-off to a fake website. If the URL says equifaxx.com, it's best to avoid it. Search for the company on Google and access the website that way instead.

Don’t assume that a website is legitimate just because its URL starts with “https.” Criminals like to use encryption, too.

Enable two-factor authentication. If you’ve ever had to use a six-digit verification code texted to your cell phone to log in to a digital account, you have some idea of how 2FA works. Once you turn on the setting, you have to provide a password and another unique identifier to access your account from an unverified device or location. This protects you if a stranger steals your password.

Turn on auto updates. This goes for your computer, smartphone, and tablets. Up-to-date security software goes a long way toward stopping malware.

Use security tools. Install an antivirus program on your device and keep it up to date. You can also use a website reputation rating tool, which comes in the form of a browser plug-in, to warn you if you try to go to potentially dangerous websites. Cybersecurity companies such as McAfee, Kaspersky, and Norton offer them. But keep in mind that these tools aren’t foolproof. 

More from Consumer Reports:
Top pick tires for 2016
Best used cars for $25,000 and less
7 best mattresses for couples

Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2020, Consumer Reports, Inc.