A Chinese spokesperson has strongly denied that his government was behind the hack of Equifax in 2017, which saw the personal data of hundreds of millions of individuals stolen – including the names, birth dates and social security numbers for nearly half of all American citizens.
Chinese foreign ministry spokesperson Geng Shuang was reacting to news that the US Department of Justice had charged four men, allegedly members of China’s People’s Liberation Army (PLA), with orchestrating what the FBI has described as the “largest theft of sensitive personally identifiable information by state-sponsored hackers ever recorded.”
“The Chinese government, military and relevant personnel never engage in cyber theft of trade secrets,” Shuang was reported as saying. “It has long been an open secret that the US government and relevant departments, in violation of international law and basic norms governing international relations, have been engaging in large-scale, organized and indiscriminate cyber stealing, spying and surveillance activities on foreign governments, enterprises and individuals.”
In other words, if I may paraphrase Mr Shuang, “we here in China would never hack anyone… it’s you in America who do it!”
Hmm. I think it be more honest to admit that just about every country in the world is likely to be involved in cyberespionage – if only because it is a relatively cheap and safe way to conduct espionage and gain advantages over other countries, with an additional side benefit of being so easy to deny responsibility.
According to the United States, the hackers (Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei were all members of a unit of the PLA, the 54th Research Institute.
They are accused of not only gaining unauthorised access to Equifax’s network, and stealing sensitive, personally identifiable information of many millions of individuals in the United States and elsewhere, but also stealing trade secret information, such as Equifax’s data compilations and database designs.
It’s probably never easy to keep a determined state-sponsored attacker out of your organisation, but Equifax was found to have done a pretty poor job of securing its network.
After the breach was disclosed it was revealed that the company had made a number of major security lapses including using “admin” as a username and password internally, and knew about a vulnerability on the web portal through which the hackers later gained access, but failed to apply the available Apache Struts security patches.
Shockingly, some of Equifax’s staff were later found guilty of insider trading in the company’s shares before the breach was made public – taking advantage of the fact that they knew there was very bad news around the corner.
Ultimately, of course, it is the hackers rather than those who were hacked who are to blame.
But what realistic chance is there that these four men will ever appear in a court to answer the charges? My prediction is zero
This was one of the most significant data breaches ever, and could impact many millions of individuals for years. And no-one is ever likely to be held properly accountable for it.