U.S. Charges Chinese Army Personnel in 2017 Equifax Breach

One day before Safer Internet Day, the U.S. Department of Justice (DOJ) charged four members of China’s People’s Liberation Army with computer fraud and economic espionage for their alleged roles in the 2017 Equifax data breach. Equifax is one of the leading credit reporting agencies, and the breach exposed names, Social Security numbers, and other sensitive information on more than 145 million Americans.

The DOJ shared some details in a press briefing and release on how the hack was carried out.

“The defendants exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal," the DOJ said. "They used this access to conduct reconnaissance of Equifax’s online dispute portal and to obtain login credentials that could be used to further navigate Equifax’s network. The defendants spent several weeks running queries to identify Equifax’s database structure and searching for sensitive, personally identifiable information within Equifax’s system.”

The department said the breach and subsequent data theft was part of a systemic effort by the Chinese to obtain vital and personal information on U.S. citizens.

In November 2019, Security Management provided depth and detail on the settlement Equifax reached with the Federal Trade Commission for failing to patch its systems, which would have prevented the alleged Chinese actors from gaining access. In addition to monetary fines and offering free credit reports, Equifax must undergo rigorous IT system security screenings.

It’s become a cliché description in cybersecurity: There are two kinds of companies, those who have experienced breaches and those who have been breached and don’t know it. The article “Avoiding Breaches” (Security Management, December 2018) examines the findings in a paper looking at how organizations are thwarting cyber attacks. One of the findings is right out of standard physical security practice.

“Additionally, organizations that are avoiding breaches are using playbooks to address incidents—much like physical security professionals use playbooks to walk through response to a fire in the facility or an active shooter," wrote Senior Editor Megan Gates. "These playbooks should recommend 'mitigation and shielding steps based on asset criticality and threat classification' so that any security analyst can follow the instructions to reduce risk to the organization, the white paper said. Playbooks should also be updated regularly to address changes in IT systems and software that the organization is using.”

While the Equifax breach took advantage of vulnerabilities in software, it’s important to remember that the human factor is just as important when identifying cyber risk. “Artful Manipulation” (Security Management, September 2018) looks at this risk.

“Sophisticated threat actors—whether they be nation states, criminals, activists, or disloyal competitors—will frequently target the most significant vulnerability found in most organizations: the human factor. The interaction between human beings and the technology meant to protect the organization is frequently referred to as the weakest link in security," wrote Peter Warmka, CPP, director of business intelligence for Strategic Risk Management and an adjunct professor for Webster University's cybersecurity master's program.

"The most common method used by these threat actors to exploit the human factor vulnerability is social engineering," he explained. "…Social engineering is the skillful manipulation of organizational insiders to undertake certain actions of interest to the social engineer. Insiders are not only employees of the organization—they include anyone who may have unescorted access into a target organization, including service providers such as the guard force, cleaning crews, catering companies, vending machine stockers, maintenance contractors, and more.”