The US has charged four Chinese military officers over the huge cyber-attack on credit rating giant Equifax. More than 147 million Americans were affected in 2017 when hackers stole sensitive personal data including names and addresses.
Some UK and Canadian customers were also affected. Announcing the indictments, Attorney General William Barr called the hack “one of the largest data breaches in history”.
According to court documents, the four are allegedly members of the People’s Liberation Army’s 54th Research Institute, a component of the Chinese military.
They spent weeks in the company’s system, breaking into security networks and stealing personal data, the documents said.
The nine-count indictment also accuses the group of stealing trade secrets including data compilation and database designs.
The whereabouts of the suspects is unknown and it is highly unlikely that they will stand trial in the US.
FBI Deputy Director David Bowdich said: “We can’t take them into custody, try them in a court of law, and lock them up – not today, anyway.”
Equifax said hackers accessed the information between mid-May and the end of July 2017 when the company discovered the breach.
The accused allegedly routed traffic through 34 servers in nearly 20 countries to try and hide their true location. The credit rating firm holds data on more than 820 million consumers as well as information on 91 million businesses.
Mr Bowdich said there was no evidence so far of the data being used to hijack a person’s bank account or credit card.
Equifax CEO Mark Begor said in a statement that the company was grateful for the investigation.
“It is reassuring that our federal law enforcement agencies treat cybercrime – especially state-sponsored crime – with the seriousness it deserves.”
Critics have accused the company of failing to take proper steps to guard information and for waiting too long to inform the public about the hack.
Richard Smith, CEO of Equifax at the time of the hacking, resigned a month after the breach. He apologised for the firm’s failings, ahead of testifying in Congress.
Equifax was forced to pay a $700m (£541m) settlement to the Federal Trade Commission.
The US regulator alleged the Atlanta based firm failed to take reasonable steps to secure its network. At least $300m of the settlement went towards paying for identity theft services and other related expenses run up by the victims.