Who Stole Americans’ Personal Data in Equifax Hack? China’s Military & How They Did it: US DOJ in 9-Count Indictment

Department of Justice indicts four members of China’s PLA. “We have the capability to remove the Internet’s cloak of anonymity.” But how far will it go?

By Wolf Richter for WOLF STREET.

I normally don’t get into who hacked whom, because it happens a lot, but here we’re talking about the Equifax hack, the most damaging hack for Americans ever, where hackers stole the crown jewels of personal information – including names, birth dates, social security numbers, and addresses – of 145 million Americans. Consumer-credit ratings agency Equifax first revealed the hack in September 2017, after having discovered it on July 29, months after the hackers had perpetrated the hack.

This morning, the US Department of Justice announced that a federal grand jury had returned a nine-count indictment, charging four members of the Chinese People’s Liberation Army (PLA) with hacking into the Equifax computer system and “stealing Americans’ personal data and Equifax’s valuable trade secrets.” These trade secrets were “Equifax’s data compilations and database designs.”

The indictment included three counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage, and conspiracy to commit wire fraud; two counts of unauthorized access and intentional damage to a protected computer; one count of economic espionage; and three counts of wire fraud.

Attorney General William Barr called it an “an organized and remarkably brazen criminal heist of sensitive information of nearly half of all Americans, as well as the hard work and intellectual property of an American company, by a unit of the Chinese military.”

The DOJ’s press release provided some clues as to how China’s PLA hackers worked, including these standouts:

According to the indictment, the defendants exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal. They used this access to conduct reconnaissance of Equifax’s online dispute portal and to obtain login credentials that could be used to further navigate Equifax’s network.

The defendants spent several weeks running queries to identify Equifax’s database structure and searching for sensitive, personally identifiable information within Equifax’s system. Once they accessed files of interest, the conspirators then stored the stolen information in temporary output files, compressed and divided the files, and ultimately were able to download and exfiltrate the data from Equifax’s network to computers outside the United States.

In total, the attackers ran approximately 9,000 queries on Equifax’s system, obtaining names, birth dates and social security numbers for nearly half of all American citizens.

The defendants took steps to evade detection throughout the intrusion, as alleged in the indictment. They routed traffic through approximately 34 servers located in nearly 20 countries to obfuscate their true location, used encrypted communication channels within Equifax’s network to blend in with normal network activity, and deleted compressed files and wiped log files on a daily basis in an effort to eliminate records of their activity.

The four individuals named in the indictment were Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei, who were all members of the PLA’s 54th Research Institute, a component of the Chinese military.

The U.S. Attorney’s Office for the Northern District of Georgia, the Criminal and National Security Divisions of the Department of Justice, and the FBI’s Atlanta Field Office jointly conducted the investigation, with the FBI’s Cyber Division providing support. And Equifax “provided valuable assistance in the investigation.”

“We remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us,” Barr said in the statement, and added:

“Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information.”

The announcement points out that the “defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.”

But how far will this go? Not very far, I can comfortably assure you. China has in the past denied all such charges with copy-and-paste statements. One thing is certain: China isn’t going to extradite to the US any members of the PLA who’re alleged to have committed state-sponsored hacks on US companies and on Americans. Just not going to happen. If they in fact perpetrated the hack, the PLA will more likely reward them for a job well-done. But those four members are unlikely to want to blow their bonus and assorted other income anytime soon on a home in the US.

In 2019, Corporate America began rerouting its supply chain to other countries but not necessarily back to the US. Read… US Imports from China Plunged Most Ever in 2019, Shifted to Other Countries, and the Goods Trade Deficit Improved Only a Tad from Worst Level Ever

Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:

Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.

  128 comments for “Who Stole Americans’ Personal Data in Equifax Hack? China’s Military & How They Did it: US DOJ in 9-Count Indictment

  1. Iamafan says:

    What is the world will they do with my FICO score and SSN?
    Pretend it’s me and get a loan many times?
    I guess they can forge my signature, too.

    • Iamafan says:

      typo is = in

    • Petunia says:

      Fake identities for travel and foreign banking.

      • Philo Beddoh says:

        I’d an issue getting an identity on Social Security, which of course was due to Equifax being the government’s sole arbiter, verifying I was me? I don’t buy on credit, and have largely lived all over, working on the road for 30 years. Now, these same fucking criminals tell me, I’ll need to get “real” ID, so their pals can defraud me as I age?

    • Thomas Roberts says:

      Iamafan,

      They can combine this with other information.

      You have to remember that all those advertisers in America, collect alot of information on everyone. Virtually everything everyone does is recorded. The major problem is targeted advertising, right now it’s very ineffective, allegedly, but over time it will get better. In the future if targeted advertising is allowed to continue, they may learn to over time condition a person over their lifetime to not only buy certain things, but think certain ways about things. Manipulate elections, behaviors, and more.

      China can buy all that info from marketers just like other companies. Targeted advertising might not work on everyone, but, it doesn’t need to; assuming China hasn’t imploded by then, imagine if in 20 years from now, another guy like trump runs for president in America. Immediately, very emotional ads tailored specific to you and your family will start showing on your tv, exploiting the personal tragedies in your families life to tell you not to vote for the new Trump. On that day democracy dies.

      To clarify, even the targeted ads aren’t hyper specific to you, but they can generalize very well, maybe one of your children died. The Chinese government/advertisers knows that and exploits “child death” as the best option against you and your family. If targeted advertising works on 50+% of people advertisers own every country targeted advertising is allowed in.

      There are other things China could do with the information, but this is the most dangerous.

      • Lisa_Hooker says:

        In the future I like the one where a year after the new president is elected we find out it’s a computer generated simulacrum.

    • Crush the Peasants! says:

      See Invasion of the Body Snatchers.

    • Wisdom Seeker says:

      They might not care about Iamafan’s personal info and financial data, but you can bet China, and every other major nation (and probably many mega-corporations as well), cares about any data they can get on every major politician, media figure, or business leader. And their spouses and children.

      Once “they” have “our” elite’s digital identifiers, and know the nature of “our” guys financial relationships, they can identify pressure points and tailor ways to influence or blackmail those people.

      Odds are good that most of those people use only a few passwords; once they crack a couple, someone’s online life becomes an open book. Easy to figure out what someone’s vices are and then exploit them. Could be money (either greed or hidden poverty), pron, pedo, drugs… you name it. All human weaknesses become tools for manipulation, to favor their agenda over the local national interest.

      And then “our leaders” become “their tools”. Ever wonder why no one ever does anything about any of these incidents, don’t you?

      Epstein wasn’t the only cockroach in that cupboard.

    • Mira says:

      I agree ..
      “What append Ching Chong China Hackers .. ??”
      “Life got too exciting for ya’s & ya had to tone it down a bit .. ??”
      “But why all the way down to deeply meaningless man .. ??”

      I am not doubting your word here .. not for one moment Wolf Richter .. but what if it is actually scaremongering on the part of the US & Chinese governments ??
      A collaboration to make them & life look bigger & more dangerous than it is .. ??
      Like .. “It’s really all happening folks & hell .. Yippy Ya Hoo .. let’s spend .. spend .. spend even bigger bucks on diddlysquat here .. !!”

    • ChinaBoy says:

      China Social-Scores are bad. So they ‘msm’ tell us.

      USA FICO scores are good, and the Chinese are stealing them they’re so good.

      U have to ask, if perhaps that China might want to ban USA people based on same criteria? No other explanation.

      In order to visit China, you must obtain a VISA which costs about $80 USD/Entry, U have to wait 2-3 days, that’s plenty of time to check u out, to see if your a good debt-slave in USA.

      This story smells. I wonder if the opposite is also true, did the DOD steal Chinese social-score data? Maybe they want to know who is good/bad in China for Santa’s-List??

      Let’s remember here that DOD created the Internet back in the 1960’s, so all is fair, and absolutely there is no such thing as privacy or secrecy on the internet, given that its owned by DOD, even TOR was created by Gov.

      Sort of like BITCOIN, where its 100% derived from NSA Algo’s, and calling it ‘private’. Faux money for the Private Sector, and infinite fiat for the NSA.

      PLA at least is self-financing, its a pay as you go military, they own their own company’s, make their own nickel’s, not like the USA, which taxes the public to pay for the MIL, well that’s stuff of legends. So PLA run’s company’s to make money, but the US-MIL counterfeits FIAT, I have always wondered when will the US-MIL follow the China-PLA model?

      • paul gilpin says:

        in the US-MIL model of yours, they of course attack the US taxpayers as well. or do they attack the chinese peoples? and if so what possible information would that yield.
        so.
        the default of your method is for both the US & china MIL to attack the US taxpayer.
        got it.

      • kam says:

        ChinaBoy
        You so very funny. By your yardstick, Hitler’s army and Japan’s army in China, were “self-financing”.
        Cute.
        Equifax is small potatoes in the China spy game.
        The sooner the USA rids itself of the China Plague, the better.

        • J7915 says:

          The wehrmacht definitively was self financed, if you consider living off the land that. So was Sherman’s army on their march through Georgia.

          I have another take on China vs Equifax…why is Barr indicting chinese officers, when it was Americans who, illegaly gathered data, did not safeguarded it, sold it to whomever or gave it away, yet those folks are not being charged? How about $1k for every dossier they sold, lost whatever?? They already have my address or at least one bank account number.

      • Greg Hamilton says:

        China,
        Don’t worry this is all just a conspiracy theory. It even says so in the article, “conspiracy,” and everyone knows that anyone who believes in conspiracy theories has a screw loose or wears a tin foil hat (aka a Faraday cage).

    • Red Rock says:

      I was just required to give my Equifax info to Windstream, a rural net provider….doesn’t sound secure to me. Century Link also requires TransUnion credit report…for a $45 net service. There it is, data collection with unlimited security slips.

  2. VintageVNvet says:

    Thanks for this summary Wolf.
    Fact is that NSA should hire these four people ASAP, and with appropriate safeguards and other guard types watching them, put them to work, since they apparently have the best skills,, or at least did in 17…
    Just saying, we need the best we can find doing their best on the net…

  3. Petunia says:

    Equifax is not worse than the govt personnel records hack. Now they can merge the two files and see what govt employees are under financial distress. Easy targets to exploit.

    • Cas127 says:

      Petunia,

      I think you may have put your finger on it.

      • Aldrich Ames says:

        The exploited data as indicated above can be used in conjunction with other data to locate ‘persons of interest’ such as people working for certain government entities such as the DoD, the various military banches, the CIA, NSA, DIA.

        Combine the data with records of communication or other activities such as travel and you can probably locate intelligence agencies assets (ie spies) in various countries.

        IIRC several NOC’s were identified in one TC novel using this approach.

        But even better yet, read the series of books, Chung Kuo how this data could be used in the future.

        • Randy says:

          So true. I worked for the DOD. China got me through both the OPM hack and the Equifax Hack and probably the SPG hotel hack.

          I have no plans to travel to China, but if I did I’m sure I would be followed all over the country.

        • FicaMan says:

          Nobody ‘follows’ u in China anymore, that went out some 30+ years ago.

          Today there are cam’s everywhere.

          Also now there is no paper-money, everything is paid for with alipay on your mobile-phone, which means your entering you movement for them.

          Pretty easy to get off the ‘grid’ in China, just go down to Yunan, and head out to some remote village and hang-out, use paper-money, and no camera’s.

          Only honest people get wrapped up into this stuff. The CIA-DOD all create their own passports, their own persona’s, clean slates; clean FICA report’s not a problem, who honestly would really trust any of this stuff? It’s just a tool for the banks to decide whether to loan money.

          Even in China, the ‘social score’ is just for little people.

          If your rich, why even bother looking at your FICA in USA? I mean you have no need for loans, ‘Equifax’ is just a tally for checking out ‘renters’ and other type’s of low-life. Perhaps of most use would be the person who has no debt. Like they say in Greece if your rich, your either a criminal, or you have inherited criminal wealth, for all wealth is/was accumulated by crime.

          There are actually 100’s of 1,000’s of American’s living all over China, its easier these days for a college grad of USA, to find a teaching job in China, than it is to find a job in USA. When I travel in China, and go to local ex-pat bar’s I always meet dozens of 20 something’s wherever I go. It’s also really easy for western guy’s to open their own biz in China, for instance its easier to open a micro-brewery in China, than it is in California ( & Cheaper to boot ), for in China, there are no license’s or fee’s, or inspections, you just DO-IT; The current cost for State Admin in Calif to open a micro-brewery is now over $1M USD.

        • Greg Hamilton says:

          Well Aldrich,
          You of all people would know. Thanks for your thoughts.

    • TXRancher says:

      “government personnel and government contractors with DOD clearances”

  4. DOJ is doing a political hatchet job. The FBI head is a Trump appointee, (lives in fear). You have a story with some credibility in a politically charged context. You cannot trust these people. When the next (financial) crisis hits they stand between you and the truth.

    • Wolf Richter says:

      Good lordy. Please read paragraph 2: this was an indictment by a grand jury.

      • GJ is fed information from Federal Agencies. This government runs on false statements and outright propaganda. When the market crashes nothing you hear will be the truth. A sidebar, does anyone out there trust chairman Powell?

        • Javert Chip says:

          Gotta be tough going thru life with tin-foil hat, underwear and socks.

          Just saying…

      • Kiers says:

        They indict “ham sandwiches” too, is the popular saying.

      • DR DOOM says:

        The indictment rate for grand juries is %98 -%99. Indictment rate for foreign nationals is %100. Grand Juries are a rubber stamp and run on auto . They are a weapon for the proscecution designed to terrioze you and ruin you. The average American thinks that the constitution will protect them if they are innocent, they are ignorant. Only money and power protects you from the King.Barr is being hammered by Trumpsters about the lack of indictments from the Russian/Ukraine operation. He has to indict someone so he took a page from the Mueller play book and made some Russians laugh.

        • sunny 129 says:

          ‘Grand Juries are a rubber stamp and run on auto ‘

          YEP!

          Just like Board of Directors of a company under the Chairman who most of the also CEO

          Board of Trustees in NGO including Hospitals where Administrator is ‘orchestra’s director!

          BEEN there. seen it, still survived!

          Only in AMERICA!

      • Mira says:

        Maybe they got carried away ??
        Easy done.

      • WGary says:

        And as a New York judge once famously said, it’s possible to have a grand jury indict a ham sandwich.

      • Lisa_Hooker says:

        A jury of internet router/server engineers? Or a jury of John Doe peers with little technical background? The latter can be pointed in any direction by the prosecutors.

  5. Double D says:

    Indicting Chinese criminals is akin to wasting taxpayer money on an Impeachment scam. That really motivates more to never again buy “made in China” products. They have a plan & it’s destroying our way of life. Russia is complicit too as well as sophisticated computer criminals in the U.S. stealing our personal data & spying on us. You just don’t know what’s real anymore & what to believe. Freezing your credit gives you some level of protection although not much against sophisticated hackers. I would be interested to know how many out of the 134 million Americans already had a freeze on their credit.

    Chinese officials always have that look that’s “sure you can tariff our goods & make life harder for us, but we’ll see whose getting the last laugh”. Cue that plastic grin.

    • Cas127 says:

      I think that plastic grin is because of all of the tens of millions of imported electronics to the US that could have been easily trapdoored.

      • char says:

        You don’t burn a method like that for something like this. This is just your standard security exploit

    • backwardsevolution says:

      Or maybe the payback is the corona virus.

      I did read a few years ago that 60% of all exports out of China that were destined for the U.S. were goods manufactured (in China) by U.S. multinationals. Maybe someone could correct me if that number has changed.

      If that’s still the case, wouldn’t the tariffs really be hitting the U.S. multinationals who took the jobs to China in order to enjoy the low wages and no environmental controls? Isn’t Trump twisting their arms in order to get these companies to come back home? In essence: “Fine, if you choose to stay in China, you are going to pay a price for that.”

    • char says:

      They are not criminals but people who work for Chinese intelligence and spying on us is what is in their job description.It is what spies do. It is also what American spies do. Likely even more if we go by reputation.

      ps. Those prosecutors give the US a bad name

    • Hacker says:

      If China was able to break-in the Equifax servers, imagine how many high-school kids in USA did the same??

      The Apache Exploitation has been known for years, this is common stuff, there are 1,000’s of GITHUB downloads.

      Please folks, why is this even news? When an Autistic child in basements all over the USA do this everyday, and sell the data on the dark-web.

  6. Ed says:

    Lets not blame the chinese, they let the door wide open.

    • Wolf Richter says:

      Let’s not blame the burglar for breaking into your house because you merely locked the three deadbolts in your wooden door instead of putting up a steel door. And the burglar used a crowbar to bust your wooden door.

      • Lance Manly says:

        From what I have read about the hack, Equifax’s cyber security was pretty lame.

        • Lance Manly says:

          LOL, they did not patch the Struts vulnerability, I think my dog could have done that. We patched it months before. Really if you are pulling in that much cash can’t you have someone motoring your vulnerabilities?

        • Thomas Roberts says:

          The head of IT security at Equifax was a woman with a degree in music.

          Not that a woman couldn’t do this job of course, but this woman was probably a diversity hire or bootlicker.

          https://www.marketwatch.com/story/equifax-ceo-hired-a-music-major-as-the-companys-chief-security-officer-2017-09-15

          Judging by this alone, I don’t think it would take geniuses to hack in.

        • ApacheExploiter says:

          Exactly the Apache exploit is as old as the Beverly Hillbilly’s TV show, it’s like the first thing you learn.

          One can only assume that Equifax was running a honey-pot, and sent the links to the Chinese, so that some Senator could use this as a justification on a rainy day, say ban Huawei

          Equifax is not in the business of protecting info, they’re in the business of selling info, funny all this info is for sale, the entire point of it being online is that it is SOLD, or a cheap price.

          What the PLA might have done is get something for free, and that of course is a crime in the USA.

          I can run a TRW/Equifax/… Report on anyone of you any time I wish, and get 100% of all data/records for all time; This is not secret stuff, this is essentially waste, Lexis-Nexis has been selling this stuff for 40+ years, every lawyer on earth uses it to decide whether you might have money in your pocket in any kind of trial.

          The only people who don’t have access to this data are the debt-slaves, they can get it for free for themselves, but not their neighbor, but any cop, IRS person, rich-guy, or lawyer can pull up anybody in the USA 24/7, and they do.

        • Greg Hamilton says:

          Apache,
          If I was a skeptical man I would believe you. Unfortunately, I am becoming more and more skeptical all the time.

      • Dan Romig says:

        Yes, Equifax did not have the best procedures in place from what I have read.

        But in my home town of Minneapolis, a lot of people were not too bright and helped the burglars have an easy rip-off. In the first three weeks of January, 262 auto thefts occurred. Of these, 191 were unattended vehicles left running with the keys in them.

        “The Minneapolis Police Department has advised citizens not to leave their vehicles running unattended.” My response is, “No shit, Sherlock.” But evidently they felt the need to make this statement.

        • sunny129 says:

          What about other major businesses?
          Are they any better than EQUIFAX?

          Are not some of them still using windows XP, just a couple yrs ago?

          My 2 sons are in IT depts in Manhattan – they update me!

      • Lance Manly says:

        Well, I could be cut off but here is the vulnerability https://www.cvedetails.com/cve/CVE-2017-5638/ we shut everything down on day 0 because it allowed the execution of arbitrary code and was an exceedingly easy hack to do. In this case there was no locks, just a pin through a hasp that anyone could pull out. How do you disregard a threat at 10 out of 10.

      • KFritz says:

        As a long-time, regular reader of KrebsonSecurity, I feel safe writing that the PRC took full advantage lousy, inept security at Equifax. A company controlling that sort of data needed to be much better

        As a “consumer” of their services, I’ve found Equifax to be easily the worst of the three major credit-reporting agencies.

        The PLA operatives picked the biggest, lowest-hanging fruit. Very efficient.

        • ChinaBat's says:

          It’s said that 4-Chan is ran by US-Navy, 4-chan & 8-chan are where high-school hackers hang-out.

          Certainly an 8 year old Chinese protege could hang on 4-chan for an hour, and inquire ‘equifax exploits’, be pointed off to the dark-web entry points, and be told where & how to download any python tool required.

          Low Hanging Fruit indeed. Probably done as a contest some weekend at a PLA computer camp, that’s probably why the DOD got the PLA IP’s, but what they didn’t tell you is five year old Chinese kid ran the exploit and downloaded the data, and got a free trip to Disneyland Shanghai.

      • Ed says:

        They left it open with the default passwords like admin / admin
        No crowbar needed.

  7. R.W. says:

    The more I learn about the Chinese people and government the more I do not like China.
    While traveling in Japan I noticed the Japanese people seem to share the same feeling as myself.

    • Zantetsu says:

      Japan – China animosity has a history going back to WW2 (and beyond) and has nothing to do with your personal xenophonia.

      I guess you’ve never travelled to China given your comment? You should try it. When you meet actual people it becomes hard to vilify them.

    • Cas127 says:

      Well, the Chinese are not overly fond of the Japanese either…based on one or two historical incidents…

    • Wisdom Seeker says:

      Chinese people are wonderful. Very different culture but very big hearts inside. But they have too much love of stability, which with other cultural preferences leads to bad Chinese governments.

      Knowledge is power, which today means Big Data + AI. Too much personal information is out in the wild, so those seeking power are slurping up all the data they can.

    • DR DOOM says:

      Modern China sees Japan through the lens of December 13, 1937 in Nanjing China. I am humbled by both the wisdom and humanity buried in the people of China and Japan.

      • sunny129 says:

        ‘both the wisdom and humanity buried’

        So are the hatred. prejudice and ignorance just like any other race!

        Look at the current world affairs, genocide/wars since WWII!?

        • DR DOOM says:

          Sunny 129: Wisdom and humanity existing with racism and genocide is a fact and and an un-settling fact about humans. I am still optimistic .

      • ChinaKid says:

        My first travel’s to China in early 1980’s when they first opened it up to US, I was asked “Where U from?”, I said USA, and everybody around said “Thank you for dropping bomb on Japan”.

        Those were the day’s that people had never seen a westerner, of course now, all those people who were alive during the 1930-1940’s are long dead, or now the kids are not even told that the USA nuked Hiro&Nagi.

        I do remember some 10 years ago on long bus rides between Kunming & Cheng-Du, the movie’s on the bus were always the same, violent rape scenes from Japan occupation of China during WW2, and I’m talking serious graphic’s, thus this “Nanjing” is very well on their mind, and it didn’t just happen in Nanjing, the Japanese setup ‘comfort camps’ everywhere they went.

  8. NotTrue says:

    Probably going to get blocked because it does not fit the narrative. In 2012, I went back to university to get my Master’s Degree in one of the best public universities in the States. The Systems Department where the Computer Security subspecialty was housed already had a ton of these kinds of data. Data for around 125 million Americans. Source? Darknet. My advisor mentioned that every month or so you can buy updates to the data.

    If the Chinese did a hack to get these kinds of information, then either they were stupid or they were only testing new hacking techniques. The data’s just icing on the cake.

  9. Paulo says:

    Of course it’s tit for tat. Look what Snowden revealed. Remember the Pentagon Papers?

    There is a solution, of course. We can all go back to simpler times, bank in person, fill out paper, line up at the teller, and visit while they do our deposits. Imagine, knowing your loans officer, not having a credit card, and using cash. Nah, nobody wants to do that. People trade their privacy every single minute they walk around with their smart phone. And what isn’t snooped out and creeped by strangers, is often posted on Facebook!

    We’ve traded security for convenience and complacency. I’m sure NSC hackers are busy doing their masters bidding as I write this. And I also question what is even believable these days? The FBI and Justice Department is denigrated and demeaned when it is politically expedient to do so, there is a trade dispute currently underway, why is this time different?

    This is a time when every institution has gone through a tear down. Scepticism, is a natural result.

    • Cas127 says:

      “This is a time when every institution has gone through a tear down. Scepticism, is a natural result.”

      Golly, if only some group of people had historically…”founded”…a country skeptical of centralized power, protecting its citizens with a, hm…”Bill of Rights” maybe.

    • Anon1970 says:

      Try placing a freeze on your credit reports in Canada. You won’t get very far. If you are a good account, your bank may condescend to get you a copy of your report.

      • Jack3 says:

        Anon1970 said, “Try placing a freeze on your credit reports in Canada. You won’t get very far.” I don’t think there’s such a thing as a (credit) “freeze” in Canada; instead, you can have an Alert set up so that if you or anyone wants to borrow money in your name, they (credit agencies) have to call you. I just did with Equifax Canada, haven’t yet got around to the other one in Canada.

        • Anon1970 says:

          As far as I can tell, the credit alert system only notifies you after the credit event has taken place and does not protect you against the credit reporting agency from including your personal information on mailing lists which it sells.

    • DR DOOM says:

      Paulo: I had an Air Head niece tell me that if you have nothing to hide then should not care about privacy. She made this statement at the family beach house with 20 family members present. It was a good moment for our clan because her family peers laid waste to her before I could open my mouth .

  10. Brant Lee says:

    Shouldn’t the question be: What hasn’t been hacked by foreign entities? Why fire off ICBM’s from your own country when you can hack somebody else’s? Will someone here explain why that 100% can’t happen?

    • Wisdom Seeker says:

      Airgapped computer systems.

      • MCH says:

        That and a disk operating system that isn’t at all connected to the internet running with 8” floppies. Let me know if you can find those floppies to upload a virus.

        • Ethan in NoVA says:

          I have an IMSAI 8080 computer (similar to an Altair.) They originally had a dual 8″ disk subsystem but mine unfortunately has a 5.25″ setup. I’m hoping to find the matching 8″ drives at some point to have a system that matches that in “War Games.”

          But lots of friends have 8″ floppy drives that could write that sneakernet malware if you need a hook up. There are people that rebuild and repair them as well.

      • MrRobot says:

        The CIA infiltrated Iran with USB drive’s, just gave them away for free.

        Nowadays, at Mall’s they just ask you to scan an image, and your phone automatically’s installs a trojan-horse.

        People install app’s in their phone without even thinking. Remember in “Mr Robot” they just dumped USB-drives on the ground around the police station, one stupid cop picked one up, took it inside and inserted, then they were able to take over the entire police/jail door-lock system.

        Air-Gapping doesn’t do much when curiosity always kills the cat.

  11. Thom Prentice says:

    I am FAR more concerned about “unacceptable pattern of state-sponsored computer intrusions and thefts by” the nsa, cia, fbi, facebook, twitter and … credit reporting agencies.

  12. The artist formerly know as Marcus says:

    Hi Wolf. I’d like to suggest that you post a link to your excellent instructions on setting up a personal credit freeze with the agencies. I searched your old posts to find it and set up my own freezes. Very much appreciated

  13. raxadian says:

    Equifax still did not update their systems when the patch had been available for more than a month before the hack. That’s the equivalent of leaving your window open at night then leaving the house.

  14. larry says:

    Wow. The very first thing a failing government does is blame everybody but itself for anything wrong. Sooo easy, and nobody bats an eye.

    What we are seeing now in the US is the exact same script. Blame Russians, Chinese, Ukraine, Turkey, India, even Canada, and God knows who else. Like, for everything.

    It is never the fault of our corrupt oligarchy. We seem naive to threats to our freedom, and most of them come from within.

    No one here has questioned the word of the government on this. Maybe the Chinese did it, maybe not. We certainly do at least as much to them, if not worse.

    When our oligarchy loved China for the fortunes it made them, we loved them too. Now that our oligarchy doesn’t love them so much, the folks they rule doesn’t either. Hmmmm.

    Does that make you feel a bit manipulated? After all, did you make a fortune on cheap Chinese labor? No, the oligarchy did. You likely lost your job to them.

    America ain’t what it used to be, folks. It is now just another banana republic.

  15. van_down_by_river says:

    Four members of the PLA stole personal data and “Equifax trade secrets”. What a joke, this useless company actually believes they have some valuable, proprietary technology. They are useless parasites that provide zero benefit to the economy.

    But Americans love their gold stars and participation trophies and gaming the system to improve their effing credit scores makes them feel special so take the good with the bad. The good news is you can pay a company to get your gold star credit rating, the bad news is I can buy your gold star credit rating from criminals, run up huge credit card bills and pin it on you – enjoy your gold star.

    • ElKatz says:

      van_… do you really understand the breadth of Equifax’s business or do you think they are just a credit rating service? If the latter, you’re misinformed.

      In my former life, we used Equifax data (combined with other sources of data) to determine the best location for automobile dealership open points or relocations. We used their entire demographic suite (along with the migration patterns – the value their being able to follow personally identifiable data ) in an attempt to predict how metropolitan areas would grow or “reorganize”.

  16. backwardsevolution says:

    Wolf: “But those four members are unlikely to want to blow their bonus and assorted other income anytime soon on a home in the US.”

    Probably own several homes in Canada or Australia already, bought through a shell corporation.

    There is a big difference between the Chinese and the Japanese – honor.

  17. Ron says:

    The good news about the Hack was that I learned that I could freeze my credit and the result has been a signifiant reduction in junk mail from a wide variety of sources. If I need a credit reference I simply have the freeze removed for a few days.

    • Anon1970 says:

      I have had a freeze in place at each of the credit reporting agencies since they first became available in about 2005.

  18. Memento mori says:

    I think most people have no illusions that the Chinese communist party is an evil force but it’s not the main issue here.
    The bigger question is why this data is on Equifax’s servers in the first place. I have no relationship with this firm, yet it is allowed to store my personally identifiable information? Why?
    And for losing it, I can claim what? A monetary pittance or credit monitoring by the same firm that lost the data in the first place.
    Seriously, C-Suite staff at Equifax should be doing hard time with the general inmate population for this, and every bit of their salary and bonus should be clawed back and added to the pool of money to be distributed.
    This was gross negligence and incompetence they were overseeing.
    Of course, no one has to hack in to get the data from Facebook, Google and the rest of the surveillance economy, it is for sale, and those who do not think that it is being purchased by shell companies for foreign governments, and probably our own, are naive.

  19. David Hall says:

    The Chinese trying to monitor their citizens’ every move with tracking software, cameras, facial recognition etc. is bad enough. Their suppression of free speech, freedom of assembly, and freedom of religion is a threat. This hacking is an invasion. I do not believe Europe is as rude. India might have some strange ideas, but they did not hack my credit rating. China, Russia, Iran and North Korea are the usual suspects.

    • nhz says:

      Europe is even more rude in some ways. They are just more clever in having most of the censorship done by Facebook, Google, Twitter and the many other US foot soldiers. Say something on the web about certain groups creating trouble in Europe and you are likely to have a police force visiting your workplace, to remind you that “”cultural diversity” is a blessing and resistance is futile (and when you try again, you are fired and sued and probably blocked from using the web). Happens frequently in Netherlands, Germany and probably many other EU countries nowadays.

  20. nick kelly says:

    Unless the idea is that these guys were moonlighting, why not charge the PLA?

  21. Old Engineer says:

    I’m sorry, it may be true, but it reeks of provocation. Did it really take them 2 1/2 years to figure this out or is this an attempt to take advantage of civil discord and foment rebellion against the Chinese government? Or perhaps they think that with the Chinese economic problems coming up they can blackmail them into sending the guys here?

    If they are trying to start trouble they better hope they fail. Because a diaspora of Chinese carrying nCoV across the 1000’s of miles of porous borders is the last thing the world needs right now.

    It may all be true, but if so they’ve been waiting to use it for something. I just hope they don’t get us all killed doing it.

  22. timbers says:

    Major problem here. I don’t trust anything US Intelligence agencies say given their proven record of lies, most recently the falsification of the OPCW report claiming Syria used chemical weapons and other lies like WMD in Iraq and foreign nations hacking DNC. Just a quick note if proven deliberate lies by our national security complex

  23. timbers says:

    Wolf, why would ANYONE believe ANYTHING the NSA or any other US intelligence agency say? Have we really learned NOTHING from our recent past?

    • Wolf Richter says:

      So I’m gonna believe the Chinese government’s denial???

      Things getting pretty nutty around here.

      • Old Engineer says:

        The nuttiness lies in the fact that the Chines denials have about as much credibility as the US accusations, these days. But seriously, you must admit our intelligence based accusations have a serious documented history of, shall we say, inaccuracy, over the last 20 years. I don’t have a clue what the admin is up to, but why now, after over 2 years, when the Chinese are up to their@##es in alligators?

      • wkevinw says:

        Nutty, yes.

        The old saw comes to mind about blaming malice for what can be stupidity or laziness.

        There was certainly malice on the part of the hackers, but there was a lot of stupidity in Equifax.

        Even if the head of cybersecurity was not competent, there is supposed to be a layer of very good tech experts below the head. They all also failed.

        These large organizational failures are very curious. The technical/engineering folks at GE, auto manufacturers, Equifax.

        It does suggest that the corporate executives have a lot and probably too much power these days. However, a feature of free markets is that this opens up opportunities for competitors.

        Luck to all!

  24. Unamused says:

    Now if they had simply paid for the data like everybody else there wouldn’t have been a problem.

    Well, almost everybody. Real professionals make it a point of honor to accept the challenge, trivial though it may be.

    Which reminds me. I haven’t seen that Bob Redford movie “Sneakers” in a while. The McGuffin is a computer chip that can decode and decrypt any digital security instantly. Naturally there’s a lot of competition for it between various public agencies and private enterprises. The good news is that in the end Dan Aykroyd gets his Winnebago with the bungundy interior and Sidney Poitier gets to take his wife on a tour of Europe, including Tahiti.

    Whistler: I want peace on earth and goodwill toward men.
    Abbot: We are the United States Government. We don’t do that sort of thing.

    Setec Astronomy everybody.

    • sierra7 says:

      Unamused:
      Movie: “Sneakers”
      LOL!
      “All I want is her phone number”
      In my storage file; watch it every once in a while…..classic!!

  25. Unamused says:

    The four Chinese nationals charged appear to be professionals who are likely to have fake identities and to use a variety of personal identification obfuscation techniques. One can just imagine the full eagle consternation when some intelligence analyst figures out that all the names translate to some variation on “Eat my shorts”.

    Just don’t tell the DoJ. They think they’re on to something.

    • Wolf Richter says:

      You’re being silly, and you know it. There is no anonymity on the internet. Governments can trace back where what came from and identify individuals, no problem. It’s just a lot of work and takes a while.

      • Unamused says:

        Maybe, maybe not. If that were true they could track down all the hackers and make data breaches and malware attacks rarities instead of a cottage industry and popular among hobbyists.

        Come to think of it, I haven’t seen that Ray Bradbury short “Dial Double Zero” in a while either. I just saw the X-Files episode “Kill Switch” last year.

      • sunny129 says:

        EXACTLY!

      • Lisa_Hooker says:

        “They routed traffic through approximately 34 servers located in nearly 20 countries to obfuscate their true location, … and wiped log files on a daily basis in an effort to eliminate records of their activity.”

        So our boys traced the culprits without most log files. Pretty good trick. Especially the part where our boys got permission to access the log files on servers in 20 different countries. I guess the hackers only used servers in countries friendly to the US. (And, “nearly” 20 countries? What’s a “near” or almost country?)

        Rule #3 when setting up your long chain of encrypted SSH tunnels from node to node: set up a few Linux boxes as routers and run your chain through. No need to expunge logs, just wipe the server (not with a cloth) and everything is gone. A link is gone and you can’t see any further downstream.

        I call BS. Either the hackers were novices (unlikely) or we are being intentionally misled. Same thing goes for actual signal path “tracing” activity to Russia in 2016.

        Any system administrator worth his/her salt can set up untraceable communications.

        However, as Wolf points out: “It’s just a lot of work and takes a while.”

        • Wolf Richter says:

          I think you fail to understand the extent to which network surveillance fills in gaps and makes things possible. This has been done for years — for at least two decades to my knowledge.

        • Lisa_Hooker says:

          Not saying the Chinese don’t steal. We had one in my company – apprehended about to board a plane home to China with $20k cash and a bunch of CDs with company proprietary code and documentation. Literally “Red” handed.

  26. MCH says:

    Let me know when we indict comrade Pooh who loves baozi. But seriously, at what point does one separate statecraft (which this probably is) vs criminal actions. Otherwise this feels like ordinary espionage.

    Interesting, but about as useful as indicting some foot soldiers in a clash of civilizations.

  27. Unamused says:

    Even if the Equifax incident isn’t really just SkyNet having a lark, in which case you’re all in a lot more trouble than you thought you were, digital technology and malicious political ambition have still turned the world into a fine-grained panopticon.

    That’s a real word and very useful in this context.

    I’ve mentioned in passing a couple of times that the world is plunging headlong into totalitarianism. They have ways of making you talk, but between Faceplant and online retail those methods have become obsolete and not the least necessary, insofar as token resistance has been overwhelmed with enthusiastic participation.

    Big Brother: “This is way too easy.”

    • nhz says:

      Yes, the evil is in deliberately collecting, storing and using/manipulating all this sensitive data; all of it done by US companies and government institutions. If the Chinese are trying to get their fill it is just a sideshow (I seriously doubt the whole story … it is clearly intended for public consumption).

    • 4ChanGimp says:

      Equifax is the K-mart of the online world of finance, what more does a mother need to know?

      The fact that China broke into the Equifax some 4+ years ago, simply means that they really are 15 years behind the average teen on 4Chan.

  28. Make American Stocks Great Again says:

    Hopefully, public security will be enhanced and personal data will be better protected in the future.

    If only I had some kind of mark on my hand or forehead that allowed me to buy stuff.

  29. WGary says:

    We should believe the FBI because???

  30. No Free Lunch says:

    Retaliate. Hack the Chinese government’s computer systems and publish all that is found about the evil things they do their citizens. Make it so their people see their denials as obvious lies. China’s government does have a soft underbelly that can be exposed by the same means they used to hack Equifax. I’ll volunteer my hacking skills if help is needed with this.

  31. Sammy Iyer says:

    In India biometric identification became a must for Bank account + mobile sim as of Dcc 2017. (also for renewing passport, Driving Liecence etc )
    In order to continue to do banking + keep my 2 mobile no’s, renew DL/PP etc, I reluctantly got biometric identity (Aaddhar) done in Dec 2017. (after 5-6 years from introduction)
    But Aadhar can be locked /unlocked online. My biometric identification is on lock always. If I have to open new bank account, or visiting DMV,PP office etc, I unlock it before I visit their offices & lock it immediately afterwards.
    I have never checked my credit report as I have never applied for any loan of any sort or credit card in the last 15-20 years .
    I have a Pre Paid credit card with a small security Fixed deposit for using in airport car rental/ hotel booking etc with a tight limit to deny any un neccessary debit by scamsters.(like PNC/US Bank )

  32. RD Blakeslee says:

    Meanwhile, it is now known that the CIA secretly owned a leading encryption supplier and read “secret” communications of virtually all the governments in the world, for years:

    https://www.washingtonpost.com/graphics/2020/world/national-security/cia-crypto-encryption-machines-espionage/

  33. Gene says:

    I believe there was an earlier (i.e., earlier than 2017) alleged hack of Office of Personnel Data by the Chinese army. Assuming there’s some credence to this story, what did the Chinese army do with the data? As for this being the finding of a grand jury, that grand jury was likely in the Eastern District of Virginia, the “espionage court,” which has a ~100 percent rate in finding in favor of the government. The jurors are typically drawn from the ranks of government and military personnel, current and retired. They’d convict JC himself as being a subversive character.

  34. gordon parnell says:

    THEY HAD IT COMING. . . the vulnerability that allowed the hackers to gain access to this data was known about by Equifax months before the attack and the company did nothing about it.

    China’s To Blame For The Equifax Hack. But It Shouldn’t Let Equifax, Or US Regulators, Off The Hook.

    read all about it at Techdirt: https://www.techdirt.com/articles/20200210/09502443893/chinas-to-blame-equifax-hack-it-shouldnt-let-equifax-us-regulators-off-hook.shtml

  35. Bruce says:

    Why are no executives from Equifax being charged for failure to maintain proper security of the data they collect? It is common in these types of data breaches for the companies to promise to “do better” in the future but they suffer no penalties and thus have no real reason to spend the time and money to upgrade their software and stay on top of the changing situation.

    • Wolf Richter says:

      Bruce,

      Equifax was raked over the coals, top executives got fired, and there were a ton of lawsuits by individuals and class-action. Equifax and the entire industry was forced to change its ways, including by providing free and easy credit freezes to consumers who want them. There were big consequences of this fiasco, and major improvements for consumers as a result, but no, no one went to jail.

      You can find my coverage of these topics here:

      https://wolfstreet.com/tag/equifax-hack/

  36. Greg Hamilton says:

    Wolf,
    Your article on the Equifax hack seems to have become a litmus test of sorts, that is who should we trust? The Chinese government or the U.S. government. Ten or twenty years ago the answer would have been obvious, today, judging from the responses, many people do not trust the U.S. government and I would guess that your readers are well educated. This should sound alarm bells in Washington, but I doubt it will.
    As always, thanks for your well written informative piece.

    • Wolf Richter says:

      Greg Hamilton,

      Yes, I can see that. Trump has done a great job destroying confidence by Americans in American institutions and elevating foreign dictators to credible role models. I’m not sure how I feel about that, but I certainly see the effects right here in the comments. There has always some of it, but not to this extent. Amazing.

      • MB732 says:

        So American institutions didn’t destroy their own credibility by being caught lying and violating the law over and over? I think the commenters’ skepticism is well deserved.

        I’ll leave it at that. From WS commenting guidelines “Wolf Street is a business, finance, and economics site, not a political site.”

        • Wolf Richter says:

          “American institutions didn’t destroy their own credibility by being caught lying and violating the law over and over?”

          Yes, that’s part of the problem. I’m thinking WMD in Iraq, for example, as a pretext to go to war.

    • The truth is bipartisan and so is its antipathy. When you relegate due process to partisanship you close off future avenues of cooperation. When Fed/Treasury walks hat in hand to Congress for bailout funds this time, the outcome is less certain, with perhaps a more judicious result than after the GFC. We arrive at the truth by denying the lie. A lot more pain as well.

  37. RD Blakeslee says:

    I have long believed, and more evidence supporting my belief appears every day, that everything classified is known to our enemies. It’s “secret” only from the the citizenry.

  38. nhz says:

    just read the latest revelations about Crypto AG and you will understand that even if this Chinese hack is true (many reasons to seriously doubt the whole story) it should be clear who the really evil force on the web is. NSA/CIA/Mossad is just getting nervous that their decades long world control through espionage, hacking and data manipulation (both commercial and political) may finally get challenged.

Comments are closed.