The Chinese "Big Four" PII collection campaign is the accepted analytic framing for a series of cyberespionage operations conducted by Chinese state actors between 2014 and 2018 against four U.S. data-rich organisations. Each individual breach was significant; their combined strategic effect — building a comprehensive intelligence dataset on U.S. cleared personnel and individuals of interest — is the campaign-level outcome.
The "Big Four" framing originated in U.S. intelligence-community public statements (FBI, ODNI) and is now standard in the threat-intelligence literature.
The four breaches
Office of Personnel Management (2014–2015)
OPM 2015. The most damaging of the four. Chinese state actors exfiltrated:
- 21.5 million SF-86 background-investigation files — the detailed personal histories submitted by every U.S. federal employee or contractor seeking a security clearance, going back decades.
- 5.6 million fingerprint records.
The data is a foreign intelligence service's targeting catalog for cleared U.S. personnel. Multiple CIA officers were reportedly recalled from China-based stations in subsequent years on assessments that their backgrounds had been compromised.
Anthem Inc. (2015)
Anthem 2015. The second leg. 78.8 million current and former Anthem health insurance customers had personal data — names, DOB, SSN, addresses, employment, income — exposed. Attribution to Chinese state actors (cluster: Black Vine / Deep Panda) confirmed within weeks of disclosure. DOJ indictment of Fujie Wang unsealed in May 2019.
Marriott / Starwood (2014–2018)
Marriott Starwood 2018. The third leg. Operators dwelled on Starwood's reservation infrastructure from mid-2014 through Marriott's 2016 acquisition and into late 2018. 500 million guest records exposed, including 5.25 million unencrypted passport numbers. The data provides travel-pattern intelligence — when persons of interest were where, and with whom they overlapped.
Equifax (2017)
Equifax 2017. The fourth leg. 147.9 million U.S., U.K., and Canadian consumers had personal and credit data exfiltrated. The 2020 DOJ indictment formally attributed the operation to four named PLA Unit 54 officers (Wu, Wang, Xu, Liu) — the most-detailed public attribution in the campaign.
Combined strategic dataset
The campaign's analytic significance lies in the fusion of the four datasets. Each individual dataset is intelligence-relevant; the combined dataset is qualitatively different:
| Dataset | Provides |
|---|---|
| OPM | Detailed background histories of cleared U.S. personnel |
| Anthem | Health profiles, employment history, family relationships |
| Marriott / Starwood | Travel patterns, hotel co-location with persons of interest |
| Equifax | Credit history, financial vulnerabilities, address history |
For a foreign intelligence service, the combined index enables:
- Targeting of cleared personnel for HUMINT recruitment based on financial vulnerabilities (Equifax) cross-referenced with security-clearance status (OPM).
- Detection of U.S. intelligence officer travel based on travel patterns (Marriott) cross-referenced with cover identities (OPM).
- Identification of medical conditions affecting decision-making or vulnerable to exploitation (Anthem).
- Family-relationship mapping for compulsion / leverage operations.
The campaign is widely assessed by U.S. intelligence-community analysts as the most strategically valuable cyberespionage outcome in recent decades — the kind of intelligence haul that no single conventional collection operation could produce.
Component incidents
- OPM 2015 — 21.5M SF-86 records
- Anthem 2015 — 78.8M health records
- Marriott / Starwood 2018 — 500M guest records
- Equifax 2017 — 147.9M credit records
Why it matters
The Big Four campaign established:
- That state cyber operations are aggregable at strategic scale. Defenders evaluate one incident at a time; intelligence services aggregate.
- That personal-records-rich data sources (healthcare, hospitality, government clearance, credit reporting) are now permanent intelligence targets. No U.S. policy intervention has been able to un-do the strategic loss.
- That named-officer indictments can be issued years after the underlying operation. The 2019 Anthem and 2020 Equifax indictments were possible because U.S. agencies had built attribution evidence over the intervening years.
- That multi-organisation campaigns require campaign-level analytic framing, not just incident-by-incident response. The threat-intelligence community's standard practice of campaign tracking traces partly to the Big Four.
The same Chinese actor cluster has continued operations through 2025, with targets shifting toward telecommunications infrastructure (Volt Typhoon, Salt Typhoon campaigns) and supply-chain compromise. The Big Four era's PII-aggregation phase appears to have given way to a more operationally focused emphasis on critical infrastructure pre-positioning.