February 11, 2020

U.S. indicts 4 for Equifax data breach

data securityU.S. Attorney General William Barr announced yesterday that four members of the Chinese People's Liberation Army (PLA) have been charged in the Equifax data breach. The 2017 data breach revealed the personal information of more than 147 million U.S. consumers and brought renewed focus to NAFCU's longstanding call for a national data security standard.

A release from the Justice Department explains how the hackers exploited a vulnerability in the software used for Equifax's online dispute portal. They then used this access to obtain login credentials to further navigate the credit bureau's network.

"The defendants spent several weeks running queries to identify Equifax's database structure and searching for sensitive, personally identifiable information within Equifax's system," the release says. "Once they accessed files of interest, the conspirators then stored the stolen information in temporary output files, compressed and divided the files, and ultimately were able to download and exfiltrate the data from Equifax's network to computers outside the United States.

"In total, the attackers ran approximately 9,000 queries on Equifax's system, obtaining names, birth dates and social security numbers for nearly half of all American citizens," and adds that the defendants are also being charged with stealing trade secrets.

In July, the CFPB, Federal Trade Commission and 48 states, the District of Columbia and Puerto Rico announced a $700 million settlement with Equifax over the breach and violating provisions of the Consumer Financial Protection Act.

NAFCU, as a leader in calling for national data security standards, has urged lawmakers to consider a national data security standard for institutions that collect and store consumer information. The association was the first group after the massive 2013 Target data breach to call for a legislative solution to reform the nation's data security system.