Lawmakers Demand to Know How Americans Got Their Hands on OPM Hack Data

Rep. Gerry Connolly, D-Va

Rep. Gerry Connolly, D-Va Alex Brandon/AP

The Justice Department says Americans may have used data from the breach in bank fraud scheme.

Democratic lawmakers are demanding answers about how Americans might have used personal information that was compromised in the 2015 hack of the Office of Personnel Management, after two people pleaded guilty to charges related to a bank fraud conspiracy.

On June 18, the Justice Department announced that two people had pleaded guilty to charges stemming from a scheme in 2015 and 2016 to take out car loans from Langley Federal Credit Union under the names of victims of the OPM hack. Kariva Cross and Marlon McKnight both pleaded guilty to conspiracy to commit bank fraud and aggravated identity theft.

The case raised alarm bells for Virginia Democratic Sen. Mark Warner and Rep. Gerry Connolly because, until now, officials had stated that the hack, which exposed millions of people’s personal information, had been conducted by hackers in China. Both lawmakers demanded information from the Justice Department and OPM on how Americans could have gotten their hands on the data.

“All prior public information was that this data breach was caused by Chinese hackers, yet, according to the DoJ, this information is now in the hands of U.S. residents for illicit use, and may have been as early as 2015,” Warner wrote in a June 21 letter to Attorney General Jeff Sessions and OPM Director Jeff Pon. “Despite my staff reaching out, I have not received any additional information from either of your offices on how this fraud is connected to the 2015 OPM data breach, nor has there been any public alert that those subject to the breach may be at greater risk to domestic fraud.”

But on that same day, the Justice Department issued a revised press release on the case, seemingly backpedaling from the assertion that the defendants had been “using stolen info” from the breach.

“As stated in the statement of facts for defendants Cross and McKnight, numerous victims of the LFCU identity theft fraud also identified themselves to DoJ as victims of the OPM data breach,” said Joshua Stueve, a spokesman for U.S. Attorney for the Eastern District of Virginia Zachary Terwilliger. “The government continues to investigate the ultimate source of the [personal identifying information] used by the defendants and how this PII was obtained.”

Stueve did not respond to a request for comment about the press release revisions.

Connolly and Warner both argued that investigators must tell the public how these two defendants obtained the information of victims of the OPM hack, since officials had previously speculated that the breach was intended as “passive intelligence collection” for potential blackmail material, not monetary theft.

“I believe further details about how the defendants obtained the PII could be useful for the purposes of protecting victims of the breach from further criminal activity,” Connolly wrote in a letter to Sessions. “I respectfully request a meeting with the department on how we can better balance the needs of this particular prosecution and related investigations with breach victims’ need to know how their PII is being obtained by criminals.”

Federal employees impacted by the OPM breach can receive identity theft protection services through 2026. In May, Rep. Dutch Ruppersberger, D-Md., and Del. Eleanor Holmes Norton, D-D.C., introduced legislation to extend protection for breach victims to last for life.