145 Million consumer Equifax hack by Chinese PLA

Chinese Army Behind Breach of 145M Americans

The 2017 Equifax data breach that exposed the identities of nearly every adult in America was undertaken by the Chinese Army according to the US DOJ which issued warrants for the arrest of four members of the People’s Liberation Army (PLA). The sophisticated attack leveraged poor security by the credit bureau.

Department of Justice Accuses Four PLA Members of the Brazen Theft

According to the nine-count indictment delivered by a federal grand jury in Atlanta, the attack exploited a weakness in the Equifax software designed to allow consumers to go online and dispute errors in their credit reports. Equifax had not updated critical security software which allowed the PLA to access the names, date of birth and other personal information including the highly coveted Social Security Number associated with 145 million Americans. Equifax allegedly had the security patch for two months before the attack but failed to implement it.

Equifax, one of the three major credit bureaus along with TransUnion and Experian each maintain and sell the credit reports on virtually everyone in the United States who has established some form of mainstream credit such as a credit card or a utility bill. Credit bureaus do not maintain banking records, medical records or identity records. But if you have a credit card or a cell phone or a water bill in your name, you likely have a record with each of the major credit bureaus and were exposed by this massive data breach in September 2017.

Unclear Intentions by Chinese PLA

The attack was more sophisticated than simply getting into the Equifax system through an exploit of lax security. The PLA apparently tricked Equifax’s security into believing that over 9,000 requests were coming internally, chopped the massive Equifax database into small file sizes for transmission to avoid detection and used 24 servers in 30 countries as well as other sophisticated means to hide the nature of their activity and cover their tracks.

In their indictment the DoJ called this a “brazen theft” of US consumer data but admitted they do not know what the purpose of the attack was. It could be an economic theft from US consumers, part of a sophisticated data mining program to blackmail or learn about specific, vulnerable consumers or something else entirely. Or, all the above.

Because the data included everything needed to open new credit card accounts such as name, DoB and SSN, these types of identity records are extremely valuable on the dark web, selling for upwards of $120 each in many cases. More troubling is the possibility that the Chinese PLA could use the information on credit scores and payment histories to identify consumers vulnerable to bribery or other forms of manipulation and turn them against the interests of their employers or the United States.

Equifax Settlement Period Ended January 22, 2020

The impact of the Equifax data breach on consumers is expected to be substantial. Equifax agreed to set aside $31 million to settle claims associated with the breach and those who requested compensation from Equifax were entitled to up to $125 or reimbursement for their time and expenses if they have been victims of identity theft. Unfortunately, if the settlement is oversubscribed, payouts may end up being far less than consumers expected and no payout will protect consumers from future fraud.

There is an extended period to claim out of pocket losses from Equifax that lasts until January 22, 2024. However, this excludes losses of money and time associated with projecting your credit. Those activities might include paying for credit monitoring services, identity protection like MyProfyle or freezing and unfreezing your credit reports to prevent new accounts from being opened. More information about the settlement and the extended settlement can be found at equifaxbreachsettlement.com.

Credit Monitoring and Fraud Alerts Cannot Prevent Identity Theft

MyProfyle has told always told consumers that credit monitoring does not prevent identity theft. It is best thought of as a door alarm that goes off after your car or home has been broken into. At best it may alert you to a problem but the damage has already been done. That is why MyProfyle which provide proactive identity protection that puts you in control of your identity, allowing you to approve or reject transaction such as new account applications, is the far better solution.

MyProfyle was designed specifically to address the unavoidable weaknesses of companies like Equifax and it also works to protect Children, foreign nationals or anyone from fraud occurring both within and outside the United States. No credit bureau-based solution can do any of this.

What Can You Do?

MyProfyle reminds its users that exposure by hacks and data breaches are only one way our identities and privacy are put at risk by companies with lax security or who fall pretty to innovative hackers. Pervasive tracking, cloud storage and poor security mean that reams of new data about each of us are captured and stored every day. Become a Free Basic MyProfyle member today and learn more about risk factors like these so that you can take the appropriate steps to protect yourself and approve of reject use of your identity.


USA Today

New York Times

Did You Find This Post Interesting?

Join our email list to get the latest blog posts sent to you