Washington-- The U.S. Government is charging four members of the Chinese military of hacking into Equifax to steal the financial data of 145 million Americans.

“This was a deliberate and sweeping intrusion into the private information of the American people,” Attorney General William P. Barr said in a statement. "Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China."

The Equifax data breach, which occurred in 2017, was the worst data breach in history. It exposed sensitive personal information, including social security numbers, birthdates, credit card numbers and driver’s license numbers, putting consumers at risk of several types of identity theft and fraud. 

On July 29th, 2017, Equifax’s security department identified and started investigating suspicious activity associated with the part of its website where consumers could dispute information on their credit reports. But Equifax didn’t publicly disclose the breach until September 7th, six weeks later.

Some may see the charges as absolving Equifax of responsibility in the largest hack of American’s financial information.  It’s not the first time Equifax has tried to avoid consequences and blame for the major hack.

But since the breach, several Congressional reports, a half-billion dollar settlement, and the termination of its CEO together have revealed consistent flaws in Equifax’s approach have numerous failures on part of the company that contributed to the breach and increase risk to consumers. 

Most notably, the company failed to apply a patch it’s Apache Struts web enterprise software that left it extremely vulnerable for a hack. The vulnerability was first disclosed in March along with simple instructions on how to fix the problem, but by May Equifax still hadn’t acted creating a relatively easy hack to access consumer’s financial information.

When the news came out, Apache Software Foundation said in a statement, "Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.”

A Congressional report found the breach was “entirely preventable” by mitigating cybersecurity problems such as the patch. In addition, the lack of accountability within the IT management structure, led to slow and patchwork responses at times. Finally, the company used outdated systems while storing the information of hundreds of millions of Americans.  

The company also botched its response by:

• Delaying public notification for six weeks

• Setting up an online search tool that provided faulty results about which individuals were affected

• Directing consumers to a fake website

• Initially including arbitration language that forced consumers to sign away their rights to a day in court

• Failing to offer consumers full protection from new account identity theft -- which Equifax still hasn’t done.

Because the stolen data acts as an individual’s financial DNA, it’s loss can have lifelong consequences. Equifax was fined $650 million because of the hack with many Americans getting free credit monitoring for up to ten years or a small pay out. Still that pails in comparison to the $1 billion fine for Wells Fargo’s financial transgressions, despite many more people being put at financial risk.

A new federal law that went into effect in September of 2018 allows everyone to freeze, and thaw, their credit for free. Shep recommends freezing your credit to prevent anyone with access to your financial information through this or other hacks from opening accounts in your name. U.S. PIRG Education Fund has instructions here.