On January 28, a federal grand jury in Atlanta indicted 4 Chinese military personnel for hacking into the credit reporting agency Equifax between at least May and June 2017 and for stealing Americans’ personal data and Equifax’s trade secrets. The four men — Wang Qian, Xu Ke, Liu Lei and Wu Zhiyong — are members of the 54th Research Institute of the People’s Liberation Army (PLA), that is, the Chinese armed forces, according to the US Department of Justice and the FBI. What happened? In March 2017, Apache Struts Web Framework, an open-source web-application software that Equifax used for its online dispute portal, disclosed a vulnerability (CVE-2017-9805) that allowed attackers to remotely execute code on the targeted web application. Along with the disclosure, Apache Software Foundation also released a patch for the vulnerability. Equifax reportedly ignored both. As a result, roughly between March 13, 2017 and July 30, 2017, personally identifiable information (PII) of around 145 million Americans was leaked, Equifax had disclosed in September 2017. What kind of data got leaked? According to the indictment, names, birth dates and social security numbers (SSNs) of around 145 million Americans, driving licence numbers of at least 10 million Americans, and credit card numbers of about 200,000 Americans were collected by hackers. PII of nearly a million UK and Canadian citizens was also harvested. “[I]n a single breach, the PLA obtained sensitive personally identifiable information for nearly half of all American citizens.” — Indictment Modus operandi: The 4 indicted personnel were residents…
