Feb 10, 2020

U.S. Tries to Stop Flow of Personal Data to China With Charges

Alyza Sebenius and Chris Strohm, Bloomberg News

A monitor displays Equifax Inc. signage on the floor of the New York Stock Exchange (NYSE) in New York, U.S., on Friday, Sept. 8, 2017. The dollar fell to the weakest in more than two years, while stocks were mixed as natural disasters damped expectations for another U.S. rate increase this year. Photographer: Michael Nagle/Bloomberg , Bloomberg

(Bloomberg) -- For the last several years, hackers based in China have allegedly been sucking up vast amounts of personal data of U.S. citizens: names, dates of birth, Social Security numbers, even fingerprints.

On Monday, the U.S. Justice Department took another stab at stopping them.

Attorney General William Barr announced that four members of China’s People’s Liberation Army had engaged in a three-months-long campaign to steal information on about 145 million Americans from Equifax Inc. In doing so, Barr detailed an audacious plan that allegedly began with a vulnerability in Apache software and uncovered a mother load of personal data.

But, according to U.S. authorities and cybersecurity experts, the Equifax hack was one of a string of data breaches executed by Chinese hackers in which personal data was stolen. Those experts described an effort to grab so much data on so many people that the Chinese could use it to compile a database of Americans, in part to bolster spying efforts.

Last year, Barr announced charges against a Chinese national who was part of “an extremely sophisticated hacking group operating in China” that stole information from four large American businesses, including data on 78.8 million people from the computer network of health insurer, Anthem Inc.

China has also been linked to a 2018 cyber-attack at Marriott International Inc., yielding data on 500 million guests, and an infamous 2015 incident in which data from the federal Office of Personnel Management was stolen on 21 million individuals, including Social Security numbers and 5.6 million fingerprints.

“Chinese spying is over the top increasingly dangerous,” said Jim Lewis, a senior vice president and director of the Technology Policy Program at the Center for Strategic and International Studies in Washington, when asked about the charges involving Equifax. “The PLA has more personal data on Americans than anyone else.”

The Equifax hack represents a major “counterintelligence operation” by the Chinese government for future use, including advancing artificial intelligence capabilities, said William Evanina, director of the National Counterintelligence and Security Center.

“They have more than just your credit score,” Evanina told reporters during a briefing on Monday. “They have all of your data.” He added that his biggest concern is that the Chinese will use the data to target people who don’t work in national security and therefore might not be aware of an operation.

U.S. officials said there was no evidence the stolen Equifax data was being used. However, Barr said the Equifax hack “fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets and other confidential information.”

The Chinese Embassy didn’t return a message seeking comment.

John Hultquist, senior director of intelligence analysis at the cybersecurity firm FireEye Inc., said the Equifax incident is “just one example of a shift by Chinese state hackers toward organizations that aggregate data.”

“Government bureaucracies, hospitality and travel organizations have been targeted alongside telecommunications firms and managed service providers in intrusions designed to allow access to huge amounts of data and proprietary information,” he said.

Cybersecurity experts offered different views on the purpose of the stolen data.

The data taken from Equifax may have been used as part of an attempt to compile a database of U.S. personally identifiable information, according to Priscilla Moriuchi, who is director of strategic threat development at the cybersecurity company Recorded Future, Inc. This database can be used for purposes including developing cover identities for Chinese intelligence officers, validating information from other intelligence services, or “building profiles of individuals that may be susceptible to recruitment by Chinese intelligence, “ she said.

Ben Buchanan, a cybersecurity expert at Georgetown University, said the data gleaned may have uses such as providing “financial context on targets of interest to China.”

“It probably wasn’t too taxing for the hackers to get even this voluminous amount of data, so why not take it?” he said.

Aside from allegedly stealing personal data, China has also been accused of pilfering intellectual property from U.S. companies, including by hacking. Former National Security Agency Director Keith Alexander, who served under presidents Barack Obama and George W. Bush, has called it the “greatest transfer of wealth in history.”

In 2018, for instance, the U.S. indicted Chinese intelligence officers for stealing technology underlying a turbofan used by airlines while members of China’s Ministry of State Security were charged with targeting government agencies and more than 45 technology companies in the U.S.

According to the indictment announced on Monday, the hack at Equifax began in May 2017, maybe earlier, and continued through July of that year. The defendants exploited a vulnerability in Apache software that was used by Equifax’s online dispute portal, where users could research and dispute inaccuracies in their credit reports. Apache had announced a vulnerability in certain versions of its Struts software, and it wasn’t patched on Equifax’s online dispute portal, according to the indictment.

Equifax “holds a colossal repository of sensitive personally identifiable information, including full names, addresses, Social Security numbers, birth dates, and driver’s license numbers,” according to the indictment, which alleged that the People’s Liberation Army obtained the names, birth dates, and Social Security numbers for 145 Americans, in addition to the driver’s licenses for at least 10 million Americans, and the credit card numbers and other personally identifiable information on 200,000 U.S. consumers. PLA hackers also obtained personal data belonging to nearly a million citizens of the U.K. and Canada, according to the indictment.

Despite major investments in security measures, Equifax appeared to have been compromised “by poor implementation and the departures of key personnel in recent years,” according to a September 2017 story in Bloomberg Businessweek. A congressional report in 2018 found that Equifax failed to modernize its security to match its aggressive growth strategy.

On Monday, Equifax Chief Executive Officer Mark Begor said, “Having China indicted for this really changes the stakes for all of us.”

“These cyber-attacks are getting more challenging for every company,” he said. “It definitely raises the bar for all of us on what we need to do to defend the sensitive data that we have.”

--With assistance from Jenny Surane.

To contact the reporters on this story: Alyza Sebenius in Washington at asebenius@bloomberg.net;Chris Strohm in Washington at cstrohm1@bloomberg.net

To contact the editors responsible for this story: Andrew Martin at amartin146@bloomberg.net, Andrew Pollack