Indictment of Chinese Military Hackers for Equifax Breach Highlights Important Data Security Lessons
February 11, 2020
The US Department of Justice (DOJ) charged four members of the Chinese People’s Liberation Army with hacking into the computer systems of the credit-reporting agency Equifax. The nine-count indictment, unsealed February 10, alleges a sweeping and sophisticated scheme to steal Equifax’s trade secrets and highly sensitive information of nearly half of all Americans. As Equifax acknowledged, the attackers exploited a vulnerability in its web-based dispute resolution software to gain access to its systems, then conducted network reconnaissance, stole service login credentials, and eventually exfiltrated troves of data. In total, the attackers allegedly obtained personally identifiable information for nearly 150 million Americans, as well as nearly a million citizens of the UK and Canada.
The indictment highlights three important lessons for businesses trying to manage and protect their data:
- Understand the value of your data – Attorney General William Barr, in announcing the indictment, framed the Equifax hack as “of a piece with other Chinese illegal acquisitions of sensitive personal data.” This pattern includes the hacks of the US Office of Personnel Management, Starwood Hotels, and Anthem Health Insurance, all of which were allegedly carried out by Chinese government actors. In December 2018, the DOJ charged other members of the same Chinese military hacking group with attacking cloud service providers to gain access to a diverse array of global companies, including companies in the aviation, automotive, healthcare, consumer electronics, biotechnology, and energy industries. As computing power continues to grow, sophisticated foreign adversaries such as China are not merely interested in government secrets; they now seek large data sets that can serve as inputs for data analysis and artificial intelligence tools. This shift has massive and far-reaching implications, particularly for private sector entities that now must consider whether they could be targets of foreign state hackers. It is imperative that all companies understand the scope and value of each of their data sets, and assign the appropriate levels of security and access controls.
- Patch vulnerabilities and maintain good cyber hygiene – Investigators determined that Equifax was victimized because they failed to address a known vulnerability. In early March 2017, the Apache Foundation announced a vulnerability in its Struts open-source framework that allowed unauthorized users of Struts-based applications to remotely run code on back-end servers without permission. The United States Computer Emergency Readiness Team (US-CERT) issued a public threat warning notice about the vulnerability a few days after it was discovered, and Apache offered a patch. But Equifax, which used Apache Struts for its dispute resolution portal, failed to patch this vulnerability, and within a matter of months, the team of Chinese hackers allegedly gained access to its systems and stayed there undetected for weeks. This is an unfortunate example of how failing to take simple cyber hygiene measures – such as keeping up with software patches– can cause tremendous damage. This failure also contributed to the resignation of the Equifax CEO just weeks after the breach was announced.
- Maintain relationships and communication with law enforcement – Equifax’s 2017 data breach caused tremendous damage to the company. It will pay out at least $700 million in compensation and fines to victims and regulators, its CEO was forced to resign in the face of Congressional and shareholder scrutiny, and its reputation suffered incalculable damage. But despite the company’s admitted missteps both before and after the breach, DOJ’s indictment and communications highlight that Equifax was the victim of a sophisticated nation state actor, and DOJ explicitly called out Equifax’s cooperation and assistance as “critical” to its development of the case against the alleged Chinese perpetrators. Relationships with law enforcement are crucial in the wake of a data breach, and firms should cultivate and maintain regular lines of communication with law enforcement. Companies can leverage a pre-existing relationship to potentially benefit from law enforcement’s resources and expertise when responding to and recovering from damaging data security incidents.
O’Melveny’s Data Security and Privacy Group which includes former senior White House, Department of Justice, and Department of Homeland Security officials, stands ready to help clients implement the lessons of the Equifax breach and other similar incidents.
This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Steve Bunnell, an O’Melveny partner licensed to practice law in the District of Columbia, Lisa Monaco, an O’Melveny partner licensed to practice law in the District of Columbia and New York, John Dermody, an O’Melveny counsel licensed to practice law in California, and Evan N. Schlom, an O’Melveny associate licensed to practice law in California and the District of Columbia, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.
© 2020 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.