One of the biggest cybersecurity breaches to have hit a US financial organization so far, the saga further reinforces why wealth managers need to guard against hackers and ensure that their systems, and HR policies, are fit for purpose to deal with a growing menace.

(Editor’s note: For some time, reports about cyber attacks have prompted thoughts that foreign state actors, such as China and Russia, among others, are at fault. And it is not just foreign agencies that have come under fire: the explosive claims made in 2013 by Edward Snowden about the US National Security Agency have raised concerns about the state’s treatment of private information. Paradoxically, these events have put a spotlight on the need to honor financial privacy at a time when governments have been hunting for beneficial ownership data. Cybersecurity is now a top-line spending and strategy area in the fintech space. See this Charles Schwab study here.)

The saga of how 147 million people were hit in 2017 by the hacking attack on credit rating firm Equifax took another twist yesterday. The US Department of Justice has indicted four members of China’s People’s Liberation Army with the attacks. 

It is one of several attacks that have shaken sectors such as wealth management, forcing cybersecurity up the agenda for organizations such as family offices, advisors, private banks and investment houses. The hackers mostly affected Americans, but reports said that some Canadians and UK persons were also affected.

A federal grand jury in Atlanta returned an indictment last week charging four members of the Chinese People’s Liberation Army (PLA) with hacking into the computer systems of the credit reporting agency Equifax and stealing Americans’ personal data and Equifax’s valuable trade secrets, the DOJ said in a statement on February 10. 

The nine-count indictment alleges that Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei were members of the PLA’s 54th Research Institute, a component of the Chinese military.  

“They allegedly conspired with each other to hack into Equifax’s computer networks, maintain unauthorized access to those computers, and steal sensitive, personally identifiable information of approximately 145 million American victims,” the DOJ’s statement said. 

Attacks on other institutions, ranging from JP Morgan through to Germany’s rail network in recent years, have fueled fear of cybercrime. Professional services firm Accenture puts the cost of cybersecurity to the global economy at $5.2 trillion over the next five years.

“This was a deliberate and sweeping intrusion into the private information of the American people,” Attorney General William P Barr, who made the announcement, said. “Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us. Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information.”

Exploiting vulnerability
According to the indictment, the defendants exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal. They used this access to conduct reconnaissance of Equifax’s online dispute portal and to obtain login credentials that could be used to further navigate Equifax’s network, the statement continued. 

The defendants spent several weeks running queries to identify Equifax’s database structure and searching for sensitive, personally identifiable information within Equifax’s system. Once they accessed files of interest, these people stored the stolen information in temporary output files, compressed and divided the files, and ultimately were able to download and remove data from Equifax’s network to computers outside the US.

In total, the attackers ran approximately 9,000 queries on Equifax’s system, obtaining names, birth dates and social security numbers for nearly half of all American citizens. China has denied the allegations and insisted it does not engage in cyber-theft (source: BBC, other).

Equifax welcomed the DOJ’s actions and those of the Federal Bureau of Investigation.

"We are grateful to the Justice Department and the FBI for their tireless efforts in determining that the military arm of China was responsible for the cyberattack on Equifax in 2017. It is reassuring that our federal law enforcement agencies treat cybercrime – especially state-sponsored crime – with the seriousness it deserves, and that the Justice Department is committed to pursuing those who target US consumers, businesses and our government. The attack on Equifax was an attack on US consumers as well as the United States,” CEO Mark W Begor said. 

“Cybercrime is one of the greatest threats facing our nation today, and it is an ongoing battle that every company will continue to face as attackers grow more sophisticated. Combating this challenge from well-financed nation-state actors that operate outside the rule of law is increasingly difficult. Fighting this cyberwar will require the type of open cooperation and partnership between government, law enforcement and private business that we have experienced first-hand,” Begor said.

“We are spending an incremental $1.25 billion between 2018 and 2020 on enhanced security and technology as part of our EFX 2020 cloud technology transformation, and we have made tremendous progress toward embedding security into everything we do,” he added.