Dive Brief:

• The Justice Department charged four members of China's People's Liberation Army for the 2017 Equifax hack that exposed the personal information of more than 145 million people, the agency announced Monday. Attorney General William Barr called the hack a "deliberate and sweeping intrusion into the private information of the American people."
• The attackers routed traffic through 34 servers in nearly 20 countries to mask their location, the DOJ said. They also used encrypted communication channels in Equifax's network to blend in with normal network activity, and deleted compressed files and wiped log files daily to erase records of their activity.
• The DOJ charged the members with three counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage and conspiracy to commit wire fraud, the DOJ said. The defendants are also charged with two counts of unauthorized access and intentional damage to a protected computer, one count of economic espionage and three counts of wire fraud.

Dive Insight:

Attackers exploited a vulnerability in the Apache Struts Web Framework software used by Equifax's online dispute portal to acquire login credentials, which allowed them to navigate the credit bureau's network.

A patch for the vulnerable web application was available about two months prior to its exploitation.

The attackers spent several weeks running approximately 9,000 queries on Equifax's system and were able to collect personally identifiable information, according to the DOJ. 

The Equifax hack follows a pattern of state-sponsored​ computer crimes executed by China and its citizens to target confidential information, including PII and trade secrets. 

Financial services companies have more to lose in the aftermath of a breach than government agencies, healthcare providers or retailers, fellow credit bureau Experian reported in September. During the fallout of the breach, Equifax's CEO, head of cybersecurity and chief information officer resigned — the former CIO of information solutions was sentenced for insider trading.

In July, Equifax was slapped with a "the largest data breach settlement in history": $650 million. The settlement was broken down by compensation, allocating up to $425 million in consumer restitution. Impacted consumers would be granted an average of $125.  

But settlement funds were later capped at $31 million, and the Federal Trade Commission urged consumers to opt for credit monitoring instead of cash because Equifax would likely have run out of money to cover the payments.