I am here to announce the indictment of Chinese military hackers, specifically, four members of the Chinese People’s Liberation Army for breaking into the computer systems of the credit-reporting agency Equifax, and for stealing the sensitive personal information of nearly half of all American citizens, and also Equifax’s hard-earned intellectual property.
This was one of the largest data breaches in history. It came to light in the summer of 2017, when Equifax announced the theft. The scale of the theft was staggering. As alleged in the indictment, the hackers obtained the names, birth dates, and social security numbers of nearly 150 million Americans, and the driver’s license numbers of at least 10 million Americans. This theft not only caused significant financial damage to Equifax, but invaded the privacy of many millions of Americans, and imposed substantial costs and burdens on them as they have had to take measures to protect against identity theft.
As described in the indictment, the hackers broke into Equifax’s network through a vulnerability in the company’s dispute resolution website.
Once in the network, the hackers spent weeks conducting reconnaissance, uploading malicious software, and stealing login credentials, all to set the stage to steal vast amounts of data from Equifax’s systems. While doing this, the hackers also stole Equifax’s trade secrets, embodied by the compiled data and complex database designs used to store the personal information. Those trade secrets were the product of decades of investment and hard work by the company.
Today’s announcement comes after two years of investigation. According to the nine-count indictment handed down by a grand jury in Atlanta, four members of the Chinese People’s Liberation Army, or PLA – Wang Qian, Wu Zhiyong, Xu Ke, and Liu Lei are alleged to have conspired to hack Equifax’s computer systems and commit economic espionage. In doing so, they are alleged to have damaged Equifax’s computer systems and to have committed wire fraud.
This kind of attack on American industry is of a piece with other Chinese illegal acquisitions of sensitive personal data. For years, we have witnessed China’s voracious appetite for the personal data of Americans, including the theft of personnel records from the US Office of Personnel Management, the intrusion into Marriott hotels, and Anthem health insurance company, and now the wholesale theft of credit and other information from Equifax. This data has economic value, and these thefts can feed China’s development of artificial intelligence tools as well as the creation of intelligence targeting packages.
In addition to thefts of sensitive personal data, our cases reveal a pattern of state-sponsored computer intrusions and thefts by China targeting trade secrets and confidential business information: hacks by a group known as APT 10, which worked in association with the Chinese Ministry of State Security, or MSS, to target managed service providers and their clients worldwide across industries; hacks by MSS intelligence officers who sought to steal intellectual property related to turbofan engines by using both insiders and computer operations, and; hacks by PLA officers who targeted victims in the nuclear power, metals, and solar products industries for the economic benefit of Chinese companies.
Indeed, about 80 percent of our economic espionage prosecutions have implicated the Chinese government, and about 60 percent of all trade secret theft cases in recent years involved some connection to China.
We do not normally bring criminal charges against the members of another country’s military or intelligence services outside the United States. In general, traditional military and intelligence activity is a separate sphere of conduct that ought not be subject to domestic criminal law. There are exceptions to this rule, of course. For instance, we have brought charges against intelligence officers operating undercover in the United States.
And more recently, we have charged state-sponsored actors for computer intrusions into the United States for the purpose of intellectual property theft for the use of their private sector, bank robbery, and interfering with our democratic elections. Like those cases, the deliberate, indiscriminate theft of vast amounts of sensitive personal data of civilians, as occurred here, cannot be countenanced.
The United States, like other nations, has gathered intelligence throughout its history to ensure that national security and foreign policy decisionmakers have access to timely, accurate, and insightful information. But we collect information only for legitimate national security purposes; we do not indiscriminately violate the privacy of ordinary civilians.
Today’s indictment would not have been possible without the hard work of a dedicated team of Federal Bureau of Investigation (FBI) agents and federal prosecutors in Atlanta and here in Washington, D.C. In addition, the Department’s Office of International Affairs provided valuable assistance in working with other nations to secure evidence located overseas. Notably, Equifax cooperation throughout the investigation was critical to our development of the case.