Hacker News new | past | comments | ask | show | jobs | submit login
Before It Was Hacked, Equifax Had a Different Fear: Chinese Spying (wsj.com)
145 points by propman 6 months ago | hide | past | web | favorite | 41 comments

The article is about Equifax, but based on the histories and subsequent employment of other suspect individuals they are far from the only target. Any FI or related should be concerned.

The common goal seems to be to get their foot in the door within a subset of 3-5 American financial verticals (the "b-b-but I just work in marketing!" excuse as an obscenely common insider position that doesn't attract any scrutiny at all, unlike someone working in engineering or R&D. Seriously-- you want to find the spies in your company? Start with marketing), exfiltrate everything they can access and retreat to China for a cushy job and enjoyment of immunity against extradition. By the time the target catches on and law enforcement gets spun up, they've already finished their tour of duty with two to three other companies and are on a plane halfway across the Pacific.

It's hard to do anything about it without either implementing literal racist policies or comprehensively overhauling an entire industry's security posture, but it is what it is.

Heh, even racist policies would not stop this.

You could just offer non-Chinese Americans a hefty reward + a Chinese passport as a reward for their espionage. Given the number of Gen-Z or Millennials straddled with debt, in an era with little company/employee loyalty (both ways), it seems like the recruitment pool would be quite big. Pick someone "All American" looking and be done with it.

Both the Soviets and the Chinese have done similar things to steal military secrets.

These days, the Chinese and Russians can get whatever they want from companies like Equifax without leaving the comfort of their own homes or dealing with messy human interactions. Either one of them can, and most likely did, hack Equifax at will.

I would be surprised if a large company with very good security practices could resist them indefinitely, Equifax wasn't going to hold them off.

The difference between state actors and regular thieves is the state actors don't want anyone to know about it. Sony got wrecked by North Korea because they wanted them to feel the pain. That could happen at almost any company, just the state actors want a long-term strategic advantage not a short-term one.

The ubiquity of technology in all aspects of our society makes us extremely vulnerable to losing a digital war. We have so much more to lose, and so much more surface area vulnerable to attack. Seriously, North Korea was able to assert their will on us just to (successfully) keep a movie from being released to theaters.

I've normally heard it that they pay current insiders rather than try to get outsiders to join. Though I'd appreciate links to well documented cases to the contrary.

Also, really, none of this matters for 99.99% of the companies out there. The weak point is far from hiring practices. The weak point is almost always cybersec or social engineering.

Not an hour ago, I talked to a client who thought an employees email was hacked because they got this email:

From: employee name (sjfjro@garbage.io) Subject: direct deposit

Boss, I have a new account, please change my direct deposit info.

Yours, Employee name

They changed the direct deposit info. Need a wetware version update.

I'm being thick. If they thought it was a hack why did they change the deposit info?

Also, I'm really into cryptocurrencies now. Please pay me in bitcoin.

Special treatment against specific nations isn’t necessarily racist (depends on motives). I don’t think treating Chinese immigrants differently wrt private business information is racist, as long as the same rules don't apply to ethnically Chinese US citizens

I was interested in seeing if that is the case, it turns out that is actually discrimination:


"The law prohibits employers from hiring only U.S. citizens or lawful permanent residents unless required to do so by law, regulation or government contract."

Based on that, as long as someone in the US is legally allowed to work, you cannot turn them down because they are a Chinese National.

This doesn’t stop Washington DC from discriminating against Chinese and Russian job seekers.

In which cases does the US government ("Washington DC"?) discriminate against Chinese and Russian applicants more than other noncitizens for defense roles?

Yes, you could hire Japanese citizens and not Chinese and comply with that.

So there could be a law or regulation in place for specific industries is what it says. Not to mention any large government contract could specify it. So based on that, as long as someone in the U.S is legally allowed to work, there might be any number of areas in which they are not allowed to work.

By that logic, we can't conclude that anti-Semites are racist until we've resolved the scholarly debate as to whether the Jews constitute a "race" of their own.

I'm not saying that Jews shouldn't be regarded as a race. I'm saying that your moral reactions shouldn't be contingent on morally irrelevant descriptive features such as whether the group being discriminated against constitute a race or nation or ethnicity.

It's even possible for people to discriminate against people from a state or city. Should we wait for a special word like "statist" and "citist" to be coined before suddenly discovering that this is wrong?

And don't tell me: "but the reason we want to treat these people differently is because of their moral characteristics, it's not that we are biased against them". Go read Mein Kampt and tell me this isn't exactly the rationale for anti-Semitism stated in it.

Practically, how do you see this working? I get it that very senior management could work with HR on information/promotion discrimination. But do you expect the rest of the company to have discretion in executing information security when so much information flows freely inside divisions? By seeing who has the thickest accents? Or perhaps people could wear bands on their shoulders? Why stop there--maybe we can mandate it in the public sphere too. I don't mean to be sarcastic or insensitive, but motives and intentions can be blurry.

I think you would need to look at ITAR as an example. In that context, you need to restrict things to US nationals and there are complications for dual nationals.

My guess would be that .gov will create some sort of regulatory regime around critical infrastructure.

A nit, i believe ITAR is open to US Persons which would include greencards & permanant residence beyond those born in somoa or from overseas us citizens.

I am not for or against this practice, but this is how it works in places like EA (minus the racist parts) where security is a concern. Different classes of employees have different colored door badges which is visually obvious.

Unfortunately given the trends, being ethnically Chinese will now be another vector for potential job discrimination.

It's like that in defense as well.

It isn't practical or sensible to discriminate based on nationality. Like, it won't work, and in retrospect it will look as stupid as Japanese internment camps.

> do you expect the rest of the company to have discretion in executing information security when so much information flows freely inside divisions?

Finance and law are decently adept at erecting information barriers. Roping off certain information to non-Chinese nationals would be annoying but with plenty of precedent.

What about ethnically Chinese Canadian citizens in its Toronto office? It sounds a lot like the rules did apply to US citizens.

I am not sure why this comment with such blatant discrimination against nationality is not immediately down-voted or flagged.

This is the same line of argument as the Muslim ban.

Not quite. The so-called Muslim ban involved countries may have little ability to discern who's who in their own country. Most Muslim nations did not fit this criterion.

But others actively try to place spies in other countries. It's not wise to treat them as we treat allies, especially given the way they treat their own minorities and political dissidents and neighbors and debtors.

Speaking purely anecdotally, it could be because some people have trouble discerning between the culture, the broad ethnic groups considered to be 'Chinese' no matter where in the world they are, the headline-generating government of the P. R. of China, and Chinese nationality of people who were geographically there when they entered the world. This leads to all sorts of arguments of "the Chinese are horrible people and can't be trusted because their government does terrible things."

Wow. China holding over 1mm Muslims in "re-education" camps, forcing them to eat pork and drink alcohol. China steals everyone's IP and knocks it off. China bullies the Philippines, a relatively poor country, out of some natural resources that might actually help it. Now China tries to steal the information of hundreds of millions of Americans. And today, the US proposed trade talks with China, rolling over for its money. Economic pressure stopped the Soviet Union, and we should try it on China too. Money is the only safe method of pressuring China into ending it's atrocities. We should use it.

> Money is the only safe method of pressuring China into ending it's atrocities. We should use it.

surely your congress can double the debt ceiling to borrow another 22 trillion USD.


Some have suspected that a state actor may have been behind the breach, given the sophistication of the attack and the lack of reporting about fraudsters using the stolen data.


Paywall bypass: http://archive.is/Visq4


The same goes for every other company in that line of business, in the US as well as in Europe. The data in their databases has immense value for state actors and allows them to help identify those that could be easily compromised.

Didn't seem to make them tighten their security any.

Exactly; seems like they fell prey to a sort of decision paralysis (perhaps due to revenue lost in implementing protection). A lot of companies are having this problem. Regulation is inevitable & required.

Its earlier fear was for _its own data_, where it had skin in the game: "Investigators from the company and the FBI came to view events at Equifax as potentially a huge theft of data—not of consumers’ personal data, as happened with the subsequent 2017 hacking of Equifax’s files, but of confidential business information."

Loss of info it collected on the rest of us is no skin off its nose and falls under the Don't Care category.

I understand that they hired some people to improve security. They didn't immediately overhaul everything, but how could you? You can't replace a whole organization at once. There's a lot of institutional knowledge and things in motion even at dysfunctional ones.

I even think they are using it as an excuse: "We were so busy fighting off the Chinese it prevented us keep your data safe".

I guess they must have had really good security protocols in place if they were worried about being hacked by state actors.

I wonder if this has to do with Jack Ma stepping down?

Curious...can you elaborate?

It is very suspicious that someone as motivated as Ma would just up and quit on his baby at such a young age. It is not outside the realm of possibility that he stepped over a party line and is being forced to retire as punishment.

Ha, you may need to read more about him. Jack has been doing hand-overs for a long period (longer than 5 years actually). The personality of him is more close to Larry Page rather than Elon Musk. He seems to like doing less ground-crunching management, focusing on long-term visionary things. And for the last few years he even not spoke often publicly for Alibaba and his social media account is full of NGO activities. Maybe it's just time for a new journey.

Also Jack IS the god in Alibaba forever, no one can really change that.

In fact, I have read his book. I'm not suggesting he is a part of some conspiracy. But it would be irresponsible to not notice one of the top 10 biggest CEOs of recent history stepping down at a noticeably young age within a week of one of his cornerstone companies being implicated in a breach of one of the largest owners of American financial data.

>Also Jack IS the god in Alibaba forever, no one can really change that.

Cmon, man.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact