The DOJ charged four members of the Chinese People's Liberation Army ("PLA") with breaking into Equifax's protected computers and stealing approximately 145 million Americans' personal information. The DOJ alleged that the PLA members also collected the sensitive information of nearly one million citizens in the United Kingdom and Canada.
According to the criminal indictment, Equifax holds a "colossal" repository of sensitive personally identifiable information that it sells to businesses responsible for assessing an individual's creditworthiness. Between May 13, 2017 and July 30, 2017, the DOJ stated, the four PLA members conspired to hack into Equifax's protected computers to steal this data. Specifically, the DOJ alleged that the PLA members:
stole (i) log in credentials, (ii) sensitive information stored on Equifax's databases and (iii) protected trade secrets;
uploaded multiple unauthorized web shells to the Equifax web servers and conducted reconnaissance of Equifax's online dispute portal;
conducted a series of queries to search for sensitive information on the Equifax databases and then divided the large data files of stolen information into "more manageable" files for transmission;
used approximately 34 servers based in 20 countries to (i) hide the origin and location of the PLA members' internet traffic and (ii) avoid detection;
disguised their (i) unauthorized access to Equifax's online dispute portal and (ii) exfiltration of sensitive information by using encrypted communication channels that were already in existence on Equifax's network; and
wiped log files on a daily basis and deleted compressed files following the exfiltration of sensitive data in order to further avoid detection.
As a result, the PLA members allegedly obtained (i) approximately 145 million Americans' names, birth dates and social security numbers, (ii) at least 10 million Americans' driver's license numbers and (iii) roughly 200,000 Americans' credit card numbers.
The State of Massachusetts brought charges against the credit reporting agency Equifax for failing to adequately protect consumer data and other related violations.
At the direction of Governor Andrew Cuomo, the New York Department of Financial Services proposed expanded cybersecurity regulations for credit reporting agencies.
In the wake of the recent Equifax cybersecurity breach, Cadwalader attorneys reviewed SEC policies, procedures and controls on cybersecurity-related disclosures.
In testimony before a U.S. House Subcommittee, former Equifax CEO Richard F. Smith apologized for the data breach and detailed the company's response to the intrusion.