Posted on

Unemployment Claims Fraud Exploits Weak Spots in System

The for-sale ad appeared last week in an underground internet bazaar that specializes in selling stolen accounts and data. It was for access to a filched unemployment insurance claim in California that had been approved and offered benefits worth $17,550.

The black-market sale of jobless benefits is just one sign that the unemployment insurance system — the main artery for delivering financial assistance to laid-off workers — has been besieged during the coronavirus crisis by criminal networks intent on bilking the government out of hundreds of millions of dollars.

In California, fraud was so pervasive that officials have suspended processing jobless claims for two weeks to put new controls in place and reduce a bulging backlog.

The U.S. Labor Department recently made fraud detection a priority, dedicating $100 million to combat the problem. But several state officials and cybersecurity experts say some of the efforts have been misdirected, designed to uncover workers misrepresenting their eligibility instead of large-scale identity theft.

“The focus continues to be on lying instead of stealing,” said Suzi LeVine, the commissioner of the Employment Security Department in Washington, one of the first states to be flooded with fraudulent claims.

Social service agencies have historically been preoccupied with preventing potential beneficiaries from cheating the government — individuals who lie about seeking a job or the date of their return to work.

“Anti-fraud systems are organized around that,” Ms. LeVine said. “Saying I was looking for a job when I was actually on a beach in Cabo.”

But most fraud is now being engineered by cybercriminals, some of them working together, who have stolen or bought other people’s identities and are using them to raid state unemployment systems.

Since March, Washington State has turned up nearly 87,000 impostor cases. From January 2018 to June 2019, there were 184.

Traditional fraud-prevention strategies, Ms. LeVine said, “will not help us catch these thieves.”

Think of it as the difference between an attack within and one coming from the outside. Previously the cheating came mostly from workers who were in the system and trying to get something they were not entitled to. Now “it’s people outside of the system who are impersonating other people or breaking in,” explained Roman Sannikov, director of cybercrime and underground intelligence at the cybersecurity firm Recorded Future.

Using stolen identities to steal from the government, of course, is not new. Such thefts have bedeviled programs from school loans to Medicare and disaster relief. But unemployment insurance has generally not been a ripe target because states have been reducing benefits and tightening access since the last recession and caseloads have been falling.

Credit…Recorded Future

That changed after Congress moved in March to deliver assistance to suddenly jobless workers when the coronavirus outbreak upended the economy.

“Criminals go where the money is,” said Avivah Litan, an analyst at the research and consulting firm Gartner. After Congress passed the CARES Act, the emergency relief — including the Pandemic Unemployment Assistance program and a temporary $600 weekly supplement — was where the money was.

And that is where the bulk of the fraud has been aimed. Handled by the states, pandemic jobless benefits were meant to fill gaping holes in the safety net by covering self-employed, part-time and gig workers; independent contractors; and others ordinarily ineligible for unemployment insurance.

But the desire to quickly get money to households facing eviction, hunger or financial ruin made the program vulnerable to swindlers.

In Ms. Litan’s view, the federal government has not devoted sufficient resources to secure its systems against cybercrime and identity theft.

Some of the schemes, like those that hit Washington State in the spring, were linked by federal investigators to a Nigerian-based criminal ring called Scattered Canary. The ring used stolen Social Security numbers and other identity theft, and was suspected of operating in North Carolina, Massachusetts, Rhode Island, Oklahoma, Wyoming and Florida.

Washington State officials shut down the unemployment system for two days in mid-May as part of an effort to halt illegitimate payments that ended up totaling $576 million. The state has recovered $346 million so far.

Parker Crucq, a senior threat intelligence analyst at Recorded Future, said the number and types of perpetrators had grown, ranging from organized networks and technological whizzes to bush-league hucksters.

“While many of these threats require knowledge of social engineering techniques, they likely do not require a degree of technical sophistication,” Mr. Crucq wrote in an assessment of unemployment insurance schemes. “This means that there is a low barrier to entry for potential scammers and criminals who are interested in getting involved with this form of fraud.”

In hacker forums and on the so-called dark web, where users can hide their identity and location, “some of these actors are specifically calling out state agencies by name, boasting that it’s quite easy to fill out applications on multiple occasions from information scraped from previous data breaches,” he said.

Over three weeks in September, the police in Beverly Hills, Calif., arrested 87 people from states as far away as Alaska and New York on charges related to unemployment insurance fraud. The accused were not working in tandem but followed a similar pattern, applying for benefits with Social Security numbers stolen from people who had died or were in prison or nursing homes, said Lt. Max Subin, a department spokesman.

Sometimes using false addresses and “mules” or intermediaries, they then picked up debit cards loaded with thousands of dollars’ worth of jobless benefits from the state’s Employment Development Department.


Credit…Beverly Hills Police Department

Those involved used the cards — often several at a time — to embark on shopping sprees, buying high-end handbags, belts, wallets, shoes and clothing or renting luxury cars, the police said.

Identify theft is a particularly insidious form of unemployment insurance fraud, frequently pre-empting benefits for those entitled to them and undermining confidence in the program.

“The thing that is so maddening about impostor fraud is that it strikes at the core of how unemployment insurance systems operate,” said Scott Jensen, director of the Rhode Island Department of Labor and Training. “If fraudsters are giving us fake information, it’s hard to verify it.”

An inaccurate Social Security number, for instance, is spotted immediately. “But if a fake Scott Jensen comes in with the real Scott Jensen’s Social Security number, then it checks out,” he said. Most of the fraud is not discovered until people get letters or checks from the agency and call to say they never applied.

For years, “this has been a weakness that has been really hard to fix,” Mr. Jensen said. “What is different now is the scale.”

Fraud linked to identity theft made up about 3 percent of all unemployment claims last year, according to government audits. With the pandemic program, that figure has skyrocketed.

Last week, Arizona said it had flagged over one million of 2.4 million claims — more than 40 percent — as potentially fraudulent. Over the summer, Connecticut found that 77 percent of Pandemic Unemployment Assistance claims were faked.

With state unemployment claims, there is a built-in verification process because employees have to submit their W-2 tax form and a document from their employer showing that they are no longer employed. Pandemic Unemployment Assistance, by contrast, depends largely on individuals’ certifying that they are unemployed because of the coronavirus outbreak.


Credit…Beverly Hills Police Department

Ms. LeVine in Washington State said that the U.S. Labor Department’s most recent directives focused more on data integrity, but that other efforts — like demanding that applicants certify their status each week — did little to catch the widespread fraud linked to identity theft.

“It’s better suited to catching people who might be lying or making sure they comply with eligibility requirements,” she said. “It will not help us fight impostor fraud.” For thieves, it’s just another box to check on an already fraudulent claim.

In response, a Labor Department representative said that “the department has been focused on ensuring program integrity” and that it provided a wide range of information, tools and resources as well as extensive technical assistance to prevent fraud and improper payments.

State and federal officials are caught between getting money as quickly and efficiently as possible to people who desperately need it and erecting roadblocks to cut off criminals from improperly collecting benefits.

“There are a lot of fraud tools,” like multifactor identification, said Mr. Jensen, Rhode Island’s labor chief, “but if you front-load the unemployment insurance system with them, then claimants can’t get through.”

Mr. Jensen contends that significant improvements and more sophisticated detection tools — including questions to verify a user’s identity, like the model of a first car — could be put in place quickly and inexpensively if unemployment insurance systems, antiquated in many states, switched to cloud-based computing.

“People are always going to try to steal money,” he said. “We have to work harder and faster and smarter to defeat them.”

Posted on

Unemployment Benefits Program Has Issues With Fraud and Math

Two weeks ago, shortly after she advertised an apartment for rent in the Bay Area, Barbara Lamb found five envelopes from the state’s unemployment office in the building’s communal mail slot. They kept coming, day after day, until a stack of more than 30 piled up, bulging with notices of benefit approvals, questionnaires about job status — and debit cards with money.

“They could barely get them through the mail slot, they were so thick,” she said.

But Ms. Lamb had not applied for benefits, and had never heard of the people to whom the envelopes were sent. Fearing the address of the vacant unit was being used as part of a fraud scheme to collect the money, she contacted the F.B.I.

California is at the center of increasing concerns about extensive fraud in a federal program to push unemployment benefits to freelancers, part-timers and others lacking a safety net in the coronavirus pandemic.

Credit…Jim Wilson/The New York Times

At the same time, there is growing evidence of problems keeping track of how many people are being paid through the program. The Labor Department reports about 15 million claims for benefits nationwide. A comparison of state and federal records by The New York Times suggests that total may overstate the number of recipients by five million or more.

If the number of people getting unemployment benefits is lower than officially reported, it could affect thinking about the scale of the pandemic’s economic impact. In addition, the taint of fraud could undermine support for the program, and efforts to combat abuses may make it harder for legitimate applicants to collect benefits, which are distributed by the states.

The program, Pandemic Unemployment Assistance, is part of a $2.2 trillion relief package hurriedly enacted in March. In the latest Labor Department tally, the program accounted for nearly half the total recipients collecting jobless benefits of any kind.

Those figures imply that nearly seven million people are collecting Pandemic Unemployment Assistance benefits in California alone, far more than its population would suggest. The state’s own data suggests the number may be less than two million. Experts on the unemployment system say such discrepancies seem to reflect multiple counting as states rushed out payments.

But a surge in new claims in California — where they have risen to more than 400,000 a week, twice the level in August — is attributed not to accounting, but to fraud.

“We do suspect that a big part of the unusual recent rise in P.U.A. claims is linked to fraud,” said Loree Levy, a spokeswoman for the California Employment Development Department. She said the state was investigating “unscrupulous attacks” exploiting identity theft and vulnerabilities in the system.

Pandemic Unemployment Assistance is meant to provide benefits to the self-employed, independent contractors, gig workers, part-timers and others ordinarily ineligible for state unemployment insurance. Set up to last through the end of the year, it was a major element of the CARES Act, which economists widely agree has kept the country from a far greater economic calamity. According to the Labor Department, $47 billion in pandemic unemployment benefits have been paid so far.

Fraud is not uncommon in hastily assembled disaster programs, including the Paycheck Protection Program, the component of the CARES Act that provided forgivable loans to small businesses to help weather the pandemic without layoffs.

But signs of trouble with the Pandemic Unemployment Assistance program have surfaced for months as people who did not file claims — including the governor of Arkansas — found benefits issued in their names. A growing number of states have signaled that the problems with the program go beyond the routine.

California has warned that it is cutting off recipients when it detects irregularities, like mailings stacking up at a given address. “These situations are believed to be fraud, and scammers will often try to intercept, redirect, or gather mail associated with these claims,” the state’s employment agency wrote.

Colorado said Thursday that in a six-week stretch this summer, 77 percent of new claims under the program were not legitimate.

“Nationally, it’s just presented an opportunity for criminals to take advantage of a program that doesn’t have a lot of safety measures in place,” said Cher Haavind, deputy executive director of the Colorado Department of Labor.

Citing a significant increase in fraud, the Labor Department set aside $100 million recently to help states prevent, detect and investigate misuse of Pandemic Unemployment Assistance and a smaller federal jobless benefits program. But fraud is not the only issue raising questions about the surge in recipients reflected in official data.


Credit…Bryan Woolston/Reuters

Experts on the unemployment system figured out months ago that the tallies being reported to the Labor Department were overstated in many states, most likely because of processing backlogs that led to multiple counting of individual recipients. They expected the issue to fade as backlogs cleared and job losses slowed. Instead, the overcounting issue may even have become more serious in some states.

“It’s a perfect storm,” said Stephen A. Wandner, a former top Labor Department official who is now a senior fellow at the National Academy of Social Insurance. “You’ve got insane numbers of applications compared to what the states are used to and inadequate numbers of staff to process and adjudicate claims.”

Determining the scale of the problem on a national level has proved difficult, however. Overwhelmed state employment offices have struggled to provide timely data to the federal government, and there have been several examples of outright errors making their way into the official data.

At least some of the overcounting appears to reflect the way the Labor Department collects statistics on unemployment benefits. The government does not track the number of individual people receiving benefits, but rather the total number of weeks of benefits claimed. During normal times, when claims are processed on a weekly basis, the number of recipients and the number of weeks are essentially the same — each person files for one week of benefits each week. (Further complicating matters, the department tracks claims for benefits, not all of which are approved.)

During the pandemic, however, the flood of claims overwhelmed state employment offices. Because benefits are paid retroactively, processing delays meant that by the time many people were approved for benefits, they were owed several weeks at once — so they counted as multiple “continuing claims” in a single week.

In the absence of a reliable count from the Labor Department, economists have tried to estimate the number of recipients using data from surveys, federal spending data from the Treasury Department and other sources. Those approaches yield a wide range of estimates, but most suggest that the official total overstates the true number of recipients by millions.

“It’s almost certainly lower than is being reported,” said Daniel Zhao, senior economist for the career site Glassdoor. He said it was hard to come up with a precise estimate, but that the true number was most likely below 10 million, not the nearly 15 million counted by the Labor Department.

The Labor Department did not immediately respond Friday to a query about the reporting discrepancies.

Mr. Zhao said that the counting issues did not fundamentally alter the bigger picture: Millions of Americans are still relying on unemployment benefits to pay rent and buy food, and that number has fallen only slowly over time.


Credit…Jonathan Ernst/Reuters

Pandemic Unemployment Assistance aims to capture those lacking a path into traditional state benefits and accounts for the pandemic’s particular disruptions. A college student could qualify if she interviewed for a job in February and was set to start working in March but never did. So could people with limited earnings histories, and some of those unable to work because of child-care needs arising from school shutdowns.

The minimum payment is usually half the average weekly benefit paid under a state’s regular unemployment program. The maximum for an individual ranges from $235 a week in Mississippi to $823 in Massachusetts, according to the job site ZipRecruiter.

And the claims process is streamlined compared with conventional unemployment insurance, making it more vulnerable to fraud, said Michele Evermore, senior researcher and policy analyst at the National Employment Law Project.

Before collecting state unemployment insurance, applicants usually must provide proof of past work or have state agencies contact employers. With Pandemic Unemployment Assistance, many people can start collecting the minimum with far less documentation. Then they generally have 21 days to provide evidence of lost work, like a pay stub or a 1099 form from the Internal Revenue Service.

In an emergency program like Pandemic Unemployment Assistance, Ms. Evermore said, there is a natural tension between the need to get payments flowing and the risk that some people will take advantage and fraudulently apply for benefits.

“There is a choice between denying benefits or accidentally overpaying people,” she said. “With Pandemic Unemployment Assistance, scammers may be getting money that is meant for the unemployed.”

Erica Quealy, communications director of the Michigan Department of Labor and Economic Opportunity, said the program had become the prey of “large fraud rings.” Michigan’s attorney general has conducted hundreds of investigations, and the state has appointed a special fraud adviser and brought in the consulting firm Deloitte to help.

Some schemes involve using false Social Security cards and fake driver’s licenses to apply. One man was charged with filing applications in Pennsylvania under false names, and then having benefits worth $150,000 in debit cards mailed to addresses in Michigan, according to the state attorney general. Prosecutors said he used the money to buy a $45,000 Rolex watch.

The rate of fraudulent claims in Colorado has been striking. After adding more screening measures to catch fraud, Colorado found that more than three out of four claims filed over a six-week period for jobless benefits under the federal Pandemic Unemployment Assistance program were bogus.

On Thursday, the state said it had reduced its count of new claims filed from July 12 to Aug. 22 by 48,000 because of new fraud-detection efforts. Before being discovered, though, those responsible for the fraud were able to collect $40 million during that period, said Jeff Fitzgerald, head of the state’s unemployment insurance program.

Officials estimated that the state’s screening tools had saved the federal government $750 million to $1 billion over eight weeks by halting wrongful payments or by flagging them before they were made.

“What we’re looking at is quite sophisticated,” Mr. Fitzgerald said. “It is something that a common individual would not be able to do, and really it points to orchestrated, very sophisticated, large fraud schemes. These aren’t onesies and twosies.”

The fraud detection efforts are putting an enormous burden on the states. Mr. Fitzgerald said that Colorado had assigned 60 people to investigate unemployment fraud, compared with five in normal times.

In the meantime, the mail keeps coming. Ms. Lamb, whose East Bay rental unit had been inundated with envelopes, rubber-banded them into neat stacks Thursday to send back to the state unemployment office. She had given the five addressees’ names to the F.B.I.

On Friday, two more envelopes arrived from the state, bearing a new name.

Tara Siegel Bernard contributed reporting, and Sheelagh McNeill contributed research.

Posted on

Fraudulent Jobless Claims Slow Relief to the Truly Desperate

When Alexandria Preston had to leave her job as a medical assistant to care for her two children during the pandemic, she didn’t encounter endless delays like so many others trying to get unemployment benefits.

But three weeks later, the payments stopped coming. Then her account was canceled entirely — forcing her to dip into the savings she had set aside for dental work for her 12-year-old daughter, who has cystic fibrosis.

Ms. Preston’s claim had been flagged with the date 9/9/9999 — an indication that it was being reviewed for identity fraud, a vexing problem for an already strained unemployment system that has delayed payments to hundreds of thousands of jobless people.

“It was two weeks of not knowing anything and not getting any answers,” said Ms. Preston, who lives in Bangor, Maine.

More than 40 million workers have filed for unemployment benefits since the early days of the coronavirus pandemic — over seven times the number of requests in all of 2019. And all of those claims have been convenient cover for identity thieves filing bogus applications that could cost billions of dollars.

“Fraudsters have been able to hide in the flood of data,” said Pam Dixon, executive director of the World Privacy Forum, a public interest research group. “It is a perfect storm of identity fraud. Anyone who has experienced a major breach in the past three or four years could fall victim to this.”

The coronavirus has made the unemployment system, which is administered by the states, an attractive target in other ways, too: The CARES Act relief package added an extra $600 a week to successful claims and expanded eligibility to self-employed and similar workers, who are not subject to the same employment verifications that typically apply.

Having your application flagged for review doesn’t necessarily mean someone else tried to pose as you — it just means your state thought it warranted further inspection. Fraudulent claims have forced states to dial up their scrutiny and deploy systems that mark potentially suspicious claims. And those reviews take time.

Ms. Preston, 29, said she had been told that a review of her account would delay payments for at most 72 hours, but that wasn’t even close. “I had called hundreds of times every day for the following week and still didn’t get anything,” said Ms. Preston, whose daughter has to be completely isolated during the pandemic.

The Maine Labor Department said in a Facebook post that claimants should email their identification — an idea that made Ms. Preston nervous, because officials have warned against exactly that in the past. She did it anyway.

A little less than a week later, her payments resumed.

“It was very stressful going without any payment for three weeks and not having any idea when it would be fixed,” she said.

Officials in Maine said they did not comment on specific cases, but added that everyone whose claim was being flagged would now receive instructions on how to verify their identity through a mailed letter.

Improper payments nationwide could cost up to $26 billion this year, largely because of fraud, according to congressional testimony from Scott Dahl, who just retired as inspector general at the Department of Labor. The department is investigating more than 400 matters related to unemployment insurance, and it expects that number to continue to rise.

The damage to families can be life changing — far more consequential than having to cut up a compromised credit card. Some have gone without income for months, consumer advocates said.

“People are losing their cars, their homes, and they are moving back in with other family because they cannot pay for things,” said John Tirpak, executive director of the Unemployment Law Project, a nonprofit advocacy and legal services organization in Washington State. “It is quite a crisis for many people, and it is not a few isolated incidences.”

Washington may have been the hardest-hit state: Criminals collected as much as $650 million in benefits, although the state has already recouped about $350 million with the help of federal law enforcement, according to a spokesman for the state’s Employment Security Department.

Roughly 200,000 claimants in Washington were flagged for identification fraud in mid-May, and in mid-June 50 members of the National Guard started to help process the remainder of those claims, which were recently resolved. But there are still 71,000 people who have filed since March and have not received benefits.

Michael DeMaddalena said the delays had made him homeless. He was about to start a job as a cook at T-Mobile Park, home to the Seattle Mariners, on March 24 before the virus put the major-league baseball season on hold. He filed more than three months ago, but the $835 a week he appeared to be eligible for has never arrived.

In mid-April, Mr. DeMaddalena lost the room he had been renting for $100 a week, and with shelters on lockdown because of the pandemic, he had nowhere to go. He set up a tent close enough to a Starbucks to get free Wi-Fi so he could keep tabs on his application.

Since then, he has twice provided Washington’s Employment Security Department proof of his identity — by faxing and uploading copies of his Social Security and identification cards. But his disqualification remains unexplained.

State officials declined to discuss Mr. DeMaddalena’s case, but a Seattle law firm took a statement from him as part of a legal action demanding prompt payment of benefits that it said had been halted in response to fraudulent filings from overseas.

“I have done everything they have asked — and no response, no nothing,” Mr. DeMaddalena, 50, said. He said he had little more than the clothes on his back. “It is one thing to visualize my story, and another to walk in my shoes and sleep in my tent and not have running water.”

In a memo obtained by The New York Times in May, the Secret Service suspected a well-organized Nigerian crime ring for the problems in Washington, and said there was evidence of coordinated attacks in at least six other states: North Carolina, Massachusetts, Rhode Island, Oklahoma, Wyoming and Florida.

But the agency said it was likely that other states would be vulnerable. Michigan has cleared about 220,000 of the 340,000 active claims it stopped paying in late May, but tens of thousands more need to be analyzed, according to state officials. New York identified roughly 9,000 impostor claims, which would have cost up to $160 million.

Pennsylvania initially flagged 58,000 claims, all through its pandemic unemployment system, which covers self-employed workers and others who typically do not receive benefits. The majority of those have been verified as authentic, the state said. It declined to provide additional details, citing an active investigation.

Julia Simon-Mishel, a supervising attorney at the unemployment compensation unit at Philadelphia Legal Assistance, said fraudsters had used stolen personal information to have benefits deposited into accounts they controlled. The state responded by switching to paper checks, she said.

“That has caused significant delays,” she said. “It has been really traumatic for clients who live in neighborhoods where the mail is not secure and not consistent.”

Some applicants have been unable to collect benefits because identity-theft problems from years past continue to haunt them.

“They can’t complete an application — and they are not receiving any money even though they are entitled to it, even though they are on the verge of eviction,” said Laurie Yadoff, director of an economic advocacy and community health project at Coast to Coast Legal Aid of South Florida, who has worked with several clients with lingering problems.

One of them, Kristina Guzman, tried to file for benefits immediately after she was furloughed in mid-March from her job at a casino near Hollywood, Fla. But she was blocked because someone else had filed in her name nearly six years ago. She told officials back then that it was fraudulent and thought that was the end of it.

Ms. Guzman, 31, said she had tried to call the state unemployment’s identity theft line daily — starting two minutes before it opened, at 7:28 a.m. — but could never get through.

“It goes straight into ‘This line is busy,’ and there is no call-back number,” she said.

Ms. Guzman said she had twice tried paper applications and filed a complaint to have a supervisor call her back. Then she received a letter saying that if she didn’t get in touch by phone, her application would be closed. In early May, she started trying the governor’s office.

Florida’s Department of Economic Opportunity, which was reviewing more than 20,000 potentially fraudulent claims, said it could not comment on specific accounts because of privacy concerns, but told The Times that it would look into Ms. Guzman’s case.

Last week, she was informed that her account had been unlocked — the department told her it had received her contact information from the governor’s office — and that her payment was on its way.

But Ms. Guzman is still dealing with the repercussions of the three-month delay: Her landlord is trying to evict her and her 11-year-old daughter from their apartment.

“I am basically in a hole,” she said.

If you’re having trouble resolving an identity theft issue with your unemployment claim — or want to prevent one in the future — privacy experts and legal advocates have some suggestions:

  • First, immediately report the bogus claim to your state labor department. The World Privacy Forum offers a guide with links to each state’s unemployment fraud page.

  • Notify your employer of the claim, too, because it will also need to file documentation, said Pam Dixon, the privacy forum’s executive director.

  • File a complaint at the National Center for Disaster Fraud on its website or call 866-720-5721.

  • Check your credit report for unusual activity. Each of the Big Three credit reporting companies — Equifax, Experian and TransUnion — is offering a free credit report weekly at through April.

  • Freeze your credit files at each of the bureaus, which will prevent fraudsters from opening new credit-related accounts in your name.

  • Use a new email address for financial and government transactions.

  • Be on high alert for other fraud. If criminals have enough information to file an unemployment claim, they could try to apply for other benefits — or even try to file a tax return to collect a refund.

  • Reviews like this take time, but long delays can be frustrating. You may be locked out of your account or simply unable to get a representative on the phone. In that case, legal advocates suggest, contact your state or federal representatives. Legal Aid may also be able to help.

  • A delay shouldn’t keep you from collecting what you’re owed. If you return to work before getting benefits that you were eligible to receive, you are still entitled to collect that money.

  • Consider creating an online benefits account with your state even if you are employed and do not need to file a claim. That makes it more difficult for scammers to create a new account with your information — and if they try, their behavior is more likely to be detected.

  • The U.S. Department of Labor’s and the Federal Trade Commission’s websites have more resources about identity theft.

Posted on

U.S. Charges Chinese Military Officers in 2017 Equifax Hacking

WASHINGTON — Four members of China’s military were charged on Monday with hacking into Equifax, one of the nation’s largest credit reporting agencies, and stealing trade secrets and the personal data of about 145 million Americans in 2017.

The charges underscored China’s quest to obtain Americans’ data and its willingness to flout a 2015 agreement with the United States to refrain from hacking and cyberattacks, all in an effort to expand economic power and influence.

The indictment suggests the hack was part of a series of major data thefts organized by the People’s Liberation Army and Chinese intelligence agencies. China can use caches of personal information and combine them with artificial intelligence to better target American intelligence officers and other officials, Attorney General William P. Barr said.

“This was a deliberate and sweeping intrusion into the private information of the American people,” he said.




Barr Announces Charges Against Chinese Military Officers

Attorney General William P. Barr said the U.S. charged four Chinese military officers in the 2017 hacking of Equifax, which included the personal data of about 145 million Americans.

I’m here to announce the indictment of Chinese military hackers, specifically foreign members of the Chinese People’s Liberation Army for breaking into the computer systems of the credit reporting agency, Equifax, and for stealing the sensitive personal information of nearly half of all American citizens, and also Equifax’s hard-earned intellectual property. Today’s announcement comes after two years of investigation. According to the nine-count indictment handed down by the grand jury in Atlanta, four members of the Chinese People’s Liberation Army are alleged to have conspired to hack Equifax as computer systems and commit economic espionage. This kind of attack on American industry is of a piece with other Chinese illegal acquisitions of sensitive personal data.

Video player loading
Attorney General William P. Barr said the U.S. charged four Chinese military officers in the 2017 hacking of Equifax, which included the personal data of about 145 million Americans.CreditCredit…Sarah Silbiger/Getty Images

The information stolen from Equifax, which is based in Atlanta, could reveal whether any American officials are under financial stress and thus susceptible to bribery or blackmail.

Though not as large as other major breaches, the attack on Equifax was far more severe. Hackers stole names, birth dates and Social Security numbers of nearly half of all Americans — data that can be used to access information like medical histories and bank accounts.

“This kind of attack on American industry is of a piece with other Chinese illegal acquisitions of sensitive personal data,” Mr. Barr said at a news conference announcing the charges, citing China’s theft of records in recent years from the government’s Office of Personnel Management, Marriott International and the insurance company Anthem.

The biggest of those breaches was the theft in 2015 of roughly 22 million security clearance files from the government personnel office, which keeps track of federal employees and contractors.

It quickly became clear that the data was of significant value to the Chinese government: American officials with security clearances — including some of the most senior members of the government — had to reveal foreign contacts, relationships including extramarital affairs, health histories and information about their children and other family members.

The breach was so severe that the C.I.A. had to cancel assignments for undercover officers planning to go to China; though the agency did not submit its employees’ information to the personnel office, those individuals were often undercover as State Department or other government officials.

Then it got worse. Hacks into Anthem’s database and Starwood hotels — later taken over by Marriott — appeared to be orchestrated by the same or related Chinese groups. The United States assessed that China was building a vast database of who worked with whom in national security jobs, where they traveled and what their health histories were, according to American officials.

Over time, China can use the data sets to improve its artificial intelligence capabilities to the point where it can predict which Americans will be primed for future grooming and recruitment, John C. Demers, the assistant attorney general for national security at the Justice Department, said in an interview.

The charges were only the second time that the Justice Department has indicted Chinese military officers on suspicions of hacking. In 2014, five Chinese military officers were indicted in data thefts from a labor union, critical infrastructure and companies including U.S. Steel.

The Justice Department rarely secures indictments against members of foreign militaries or intelligence services, in part to avoid retaliation against American troops and spies, but Mr. Barr said it has made exceptions for state-sponsored actors who hacked into American networks to steal intellectual property or interfere in United States elections.

In 2015, President Barack Obama and President Xi Jinping of China agreed to rein in economically motivated cyberattacks in order to cooperate with requests to investigate cybercrimes and to avoid targeting critical infrastructure in each other’s countries.

While Justice Department officials do not believe economic espionage was the primary goal of the Equifax hacking, Mr. Demers said the attack could be seen as a violation of the spirit of that deal.

“China sees economic interests and intelligence interests as one and the same,” he said. “Commercial benefits are national security benefits in China.”

The indictment shows that in addition to signing treaties and adopting certain conventions, the United States must also be willing to publicly identify and indict state actors in criminal cases, said Megan Brown, the leader of the cyber and privacy practice at the law firm Wiley Rein.

“This is how we will drive international norms: by indicting people, not solely by negotiating treaties and adopting conventions,” she said.

The nine-count indictment accused the Chinese military of hacking into Equifax’s computer networks, maintaining unauthorized access to them and stealing sensitive, personally identifiable information about Americans.

Months before the attack, the government warned Equifax that its network contained a vulnerability, but the company did not patch it, according to government documents. The hacking was “entirely preventable,” a congressional study concluded in 2018.

The defendants — Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei, all members of the People’s Liberation Army — exploited that weakness in May 2017 to break into the network, conduct weeks of surveillance and steal Equifax employee login credentials before filching trade secrets and data. They masked their activity by using encrypted communications and routing their internet traffic through 34 servers in nearly 20 countries, including Switzerland and Singapore, according to prosecutors.

For the most part, they managed to erase their tracks inside of the Equifax network. But investigators eventually traced their activity to two China-based servers that connected directly to Equifax.

Investigators identified the four indicted officers by reviewing forensic data, analyzing the malware used in the attack and establishing a digital footprint that linked them to the intrusion, David Bowdich, the deputy director of the F.B.I., said at the news conference.

In the months after Equifax was hacked, security researchers concluded that criminals, not state actors, had siphoned information over a few months after gaining access to the network. That alone was enough to force the resignation of the company’s chief executive.

But that explanation appeared increasingly suspect over time because the Equifax data — like the information gleaned from the Office of Personnel Management — did not appear broadly for sale on the so-called dark web, where illicitly obtained information is often sold for use in cybercrime.

Law enforcement officials have not yet found evidence that the Chinese government has used the data from the Equifax hacking, Mr. Bowdich said.

The company reiterated on Monday the difficulty of warding off state-sponsored attacks. Companies often fall back on that explanation; Senator Mark Warner of Virginia, the top Democrat on the Senate Intelligence Committee, pushed back after the indictment was made public.

“A company in the business of collecting and retaining massive amounts of Americans’ sensitive personal information must act with the utmost care — and face any consequences that arise from that failure,” he said in a statement.

The hackers’ encryption of their operations inside Equifax’s networks is a common technique and has raised new questions about why such sensitive data in American databases is not legally required to be encrypted, experts noted. Many companies have resisted such regulation, in part because encrypted data can be harder for them to search.

China has “pioneered an expansive approach to stealing innovation,” Christopher A. Wray, the director of the F.B.I., said last week at a conference on the threats posed by China.

He said China was racing to obtain information about sectors as diverse as agriculture and medicine to advance its economy, using a mix of legal means like company acquisitions and illicit acts like spying and cyberattacks.

“They’ve shown that they’re willing to steal their way up the economic ladder at our expense,” Mr. Wray said.

The outcry from consumers and lawmakers after the Equifax breach and the company’s clumsy response was strong: Its executives were chastised, and Equifax eventually settled with regulators for up to $700 million.

But of the 147 million consumers affected, only a little more than 10 percent had filed for some type of compensation as of Dec. 1.

Of those, more than 4.5 million filed claims for a cash payment of up to $125, one of the settlement options. But the company had set aside only $31 million for that option, which amounts to less than $7 a person.

While the thefts present a national security risk, Americans have “almost become as a country immune to these breaches,” Mr. Bowdich said.

“You hear about it in the news and you think, ‘Well there goes my credit card number, my Social Security number, my bank account information,’ and you sign up for another year of free credit card monitoring information,” he said. “We cannot think like that in this country.”

David E. Sanger contributed reporting from Washington, Nicole Perlroth from San Francisco and Tara Siegel Bernard from New York.