Agency Director Katherine Archuleta and CIO Donna Seymour are named in the class action lawsuit.
The nation's largest federal employee union Monday filed a class action lawsuit against top officials at the Office of Personnel Management for the massive government data breach that exposed the personal information of millions of current and former federal employees.
A complaint filed in U.S. District Court by the American Federation of Government Employees names the agency, OPM Director Katherine Archuleta, OPM Chief Information Officer Donna Seymour, and background check contractor KeyPoint Management Systems as defendants.
The lawsuit contends the breach has caused financial as well as emotional harm.
The litigation stems from OPM data breaches that compromised personnel records on 4.2 million former and current federal employees, as well as intimate background investigations on an unknown number of personnel with access to classified information. The hacks were disclosed earlier this month.
Attackers believed to be sponsored by a nation state allegedly stole a KeyPoint employee's credential to access the government's network, according to congressional testimony last week.
The union alleges OPM violated the Privacy Act by neglecting to comply with federal information security statutes and inspector general recommendations. Since 2007, according to the complaint, OPM officials have been aware of security weaknesses and failed to take steps to tighten controls as advised.
"Although they were forewarned about the potential catastrophe that government employees faced, OPM's data security got worse rather than better," officials said in a statement released Monday evening.
After infiltrating the agency's networks in 2013, intruders first stole server manuals that could have given attackers a map of OPM's IT environment and then ultimately purloined private details on federal employees.
The union claims employees have suffered or will suffer from "pecuniary losses, anxiety and emotional distress," caused by among other things the compromise of personal information belonging to themselves, relatives, neighbors and acquaintances contained in investigative records.
"Despite putting government employees and their loved ones at significant personal and financial risk, OPM has failed to reveal the full scope of who was specifically impacted by the data breach and the extent of the information taken," union officials said.
Last week, testimony on Capitol Hill revealed investigators are struggling to understand the scope of the attack partly because OPM and KeyPoint lacked sufficient computer logs.
The group is demanding a jury trial.
"Since the agency is unwilling to provide adequate assistance, AFGE is taking unprecedented steps to gather more information for our members and hold the agency accountable," union officials said.
KeyPoint officials have said there is no evidence the company was responsible for or directly involved in the breach. Archuleta has said no one in the government is personally responsible for the incident; rather, the well-funded attackers should be blamed for the penetration. Chinese foreign intelligence operatives are believed to be connected to the hacks.
The lawsuit also claims "the credit monitoring services that OPM provided have not only fallen short, but actually created more potential security risks for employees," officials added. Victims have expressed frustration with customer service and inaccurate information provided by ID theft protection firm CSID.
The suit was filed on behalf of AFGE as well as union members Robert Crawford, a Federal Railroad Administration inspector, and Michigan resident Adam Dale, a former Social Security Administration attorney.