The Department of Justice has apologized for confusion over its announcement last month that a fraudster used information stolen in the infamous 2015 Office of Personnel Management breach — an episode that confounded lawmakers and ran counter to publicly available information on the breach.
The confusion began after DOJ announced on June 18 that a Maryland woman had pleaded guilty to using stolen OPM data to get car and personal loans. The public assumption had been – and still is – that Chinese hackers had stolen the data for espionage purposes.
But DOJ now says that it hasn’t yet determined whether the woman and her accomplice got the data from the OPM breach or somewhere else.
After an internal review, the U.S. Attorney’s Office for the Eastern District of Virginia appended a statement to its press release saying that “numerous victims” of the fraud self-identified as victims of the OPM breach. “The government continues to investigate the ultimate source of the [personally identifiable information] used by the defendants” and how it was obtained, the statement said.
Puzzled how the data might have ended up in American scammers’ hands, Sen. Mark Warner, D-Va., and Rep. Gerry Connolly, D-Va., wrote to DOJ and OPM demanding answers.
In a response Monday to Warner, Assistant Attorney General Stephen E. Boyd said the investigation has not yet determined exactly how the victims’ data was exposed and “whether it can, in fact, be sourced directly to the OPM data breach.”
“Because the victims in this case had other things in common in terms of employment and location, it is possible that their data came from another common source,” Boyd added.
“Regrettably,” Boyd continued, the original DOJ press release “implied a premature conclusion that the exclusive and known source of the stolen identities used in the [fraud case] was the OPM data breach.”
“We apologize for the confusion,” he wrote.
In a statement to CyberScoop, a spokesperson for Warner said the senator is “pleased that DOJ has clarified the initial announcement, which led to significant, and apparently unneeded, anxiety for millions of victims of the OPM breach.”
You can read the full letter from Boyd to Warner below.