With mystery swirling around an identity theft case where prosecutors have claimed the perpetrators used personal information included in the Office of Personnel Management breach, two lawmakers are pushing the government for more information.
A pair of letters sent this week by Sen. Mark Warner, D-Va., and Rep. Gerry Connolly, D-Va., to the heads of the Department of Justice and OPM issues a number of questions about the alleged identity fraud charges. The Virginia lawmakers are especially interested in learning how the defendants acquired the data.
On June 18, the Eastern District of Virginia announced that a Maryland woman had pleaded guilty to identity theft charges. That press release initially said the data used in that crime was from the OPM breach. On June 21, the district issued a correction to their press release, stripping any mention of the breach.
Virginia is home to the single largest population of federal workers and government contractors. Data stolen from OPM carried highly sensitive personal identifiable information, including social security numbers and medical records. Fears that the stolen data could be used by criminals has been looming for years.
The widely assumed notion is that OPM breach was carried out by a Chinese government-linked hacking group that was looking for counterintelligence material. While never publicly attributed to any group, the breach was not believed to be carried out by financially motivated actors.
The latest revelation challenges that narrative and simultaneously helps various civil lawsuits still pending against the government for the breach.
It remains possible that the defendant in this case used stolen data that also existed in OPM’s database, but was taken entirely different source, such as a breached financial institution.
Since the DOJ announcement, current and former government officials affected by the breach have questioned if they, too, are now at risk of having their identities stolen.
Multiple attempts to contact the defendant’s lawyer went unanswered.
Connolly told CyberScoop Wednesday that if the alleged fraudsters really did use data stolen by hackers during the 2015 OPM breach, it would be “hard to believe” that there weren’t more victims of fraud using that data.
But regardless of what emerges in the fraud case, Connolly said that there was a continued and urgent need to protect the OPM breach victims.
“I am very alarmed,” he said. “What additional measures are we taking to protect against that [fraud]?”
Sean Lyngaas contributed to this report.