The U.S. Department of Justice said that four members of the People’s Liberation Army, an arm of the Chinese military, have been charged with breaking into the networks of the Equifax credit reporting agency, and stealing personal information of tens of millions of Americans, according to the Associated Press.
This is specifically regarding the data breach that Equifax experienced on July 29, 2017 (which it failed to announce until September of 2017.) The Federal Trade Commission announced in July of 2019 that Equifax had agreed to pay at least $575 million, and potentially up to $700 million, as part of a global settlement with the FTC, the Consumer Financial Protection Bureau (CFPB) and 50 states and territories.
The U.S. Justice Department posted today remarks from Attorney General William Barr, in which he announced the indictment of the four “Chinese military hackers”. Here is a small portion of those remarks:
…Today’s announcement comes after two years of investigation. According to the nine-count indictment handed down by a grand jury in Atlanta, four members of the Chinese People’s Liberation Army, or PLA – Wang Qian, Wu Zhiyoing, Xu Ke, and Liu Lei – are alleged to have conspired to hack Equifax’s computer systems and commit economic espionage. In doing so, they are alleged to have damaged Equifax’s computer systems to have committed wire fraud….
TechCrunch reported that the four alleged hackers were said to be part of the APT10 group, a notorious Beijing-backed hacking group that was previously blamed for hacking into dozens of major U.S. companies and government systems, including HPE, IBM, and NASA’s Jet Propulsion Laboratory.
The Federal Trade Commission announced that Equifax Inc. has agreed to pay at least $575 million, and potentially up to $700 million, as part of a global settlement with the FTC, the Consumer Financial Protection Bureau (CFPB) and 50 states and territories, which alleged that the credit reporting company’s failure to take reasonable steps to secure its network led to a data breach in 2017 that affected approximately 147 million people.
As you may recall, Equifax discovered a data breach on July 29, 2017, but did not announce it until September of 2017. Hackers were able to access files that included personal information including dates of birth, Social Security numbers, addresses, and credit card numbers.
This is a nightmare scenario for not only a credit bureau, but also all the people who trusted Equifax to keep their personal information safe and secure. The FTC alleges that Equifax failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting its ACIS database. That is the database which handles inquires from consumers about their personal credit data.
The proposed settlement:
- Equifax will pay $300 million to a fund that will provide affected consumers with credit monitoring services. The fund will also compensate consumers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the 2017 data breach.
- Equifax will add up to $125 million to the fund if the initial payment are not enough.
- Beginning in January of 2020, Equifax will provide all U.S. consumers with six free credit reports each year for seven years – in addition to the one free annual credit report that all credit bureaus offer.
- Equifax will pay $174 million to 48 states, the District of Columbia, and Puerto Rico, as well as $100 million to CFPB in penalties.
- The settlement also requires Equifax to obtain third-party assessments of its information security program every two years.
The UK’s Information Commissioner’s Office (ICO) has hit credit reference agency Equifax with a GB£500,000 fine for the 2017 data breach. Equivalent to US$660,000, the fine is the largest ever imposed by the ICO and is the maximum permitted under the legislation in force at the time. Under the newer GDPR laws, the fine could’ve been as high as $20 million.
The Equifax data breach involved the records of 146 million people, with nearly 15 mlllion being UK nationals. The ICO was scathing in its comments about Equifax, saying, “The ICO found that measures that should have been in place to manage the personal information were inadequate and ineffective. Investigators found significant problems with data retention, IT system patching, and audit procedures. Our investigation also found that the US Department of Homeland Security had warned Equifax Inc about a critical vulnerability as far back as March 2017. Sufficient steps to address the vulnerability were not taken meaning a consumer facing portal was not appropriately patched.”
During the cyber attack last year, a range of personal information was taking including, names, dates of birth, addresses, passwords, driving licences and financial data.
The Information Commissioner herself, Elizabeth Denham, went on to say, “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data.”
Equifax’s approach to data protection and the care of our personal data was negligent, and frankly, I don’t think they deserve to be in business. The full judgement is here pdf.
Money photo by Sharon McCutcheon on Unsplash.