There’s no firm evidence fraudsters are using stolen data from the massive 2015 breach, officials said.
The Justice Department goofed when it suggested in a June 18 press release that the personal information a Maryland woman used to steal the identities of numerous Langley, Virginia, victims came from the 2015 Office of Personnel Management Breach, a Justice Department official said Monday.
While the Langley identity theft victims were also victims of the OPM data breach, there’s no hard evidence that that’s where identity thieves got their information, Assistant Attorney General Stephen Boyd said in a letter to Sen. Mark Warner, D-Va., ranking member on the Senate Intelligence Committee.
“Because the victims in this case had other things in common in terms of employment and location, it is possible that their data came from another source,” Boyd said.
The statement did not describe those commonalities in more detail. The identity theft scheme involved taking out phony personal and auto loans through the Langley Federal Credit Union, according to the press release. The Langley credit union offers banking services to people with numerous employers, mostly in the public sector, not just federal employees.
The initial press release sparked concern and confusion among federal workers.
Intelligence officials have routinely suggested the massive cache of sensitive security clearance information about more than 20 million current and former federal employees was stolen by the Chinese government—not criminal fraudsters.
The upshot was that Chinese spies had a mother lode of highly personal information about federal employees, but, because that information was stashed safely in Beijing, most OPM victims didn’t need to worry about phony loans or tax returns being filed in their names.
The June 18 press release seemed to throw that into confusion by announcing that the identity thief, Karvia Cross, “pleaded guilty … to participating in a scheme to use the stolen identification information of victims of the … OPM data breach.”
The Justice Department first declined to expand on the press release, then updated it June 21, clarifying that the source of the information used in the vehicle loan scheme was unclear.
“Regrettably the [U.S. Attorney’s Office’s] original press release…implied a premature conclusion that the exclusive and known source of the stolen identities used in the Langley Federal Credit Union fraud case was the OPM data breach,” Boyd said in his letter to Warner.
After receiving numerous inquiries about the press release, the Justice Department “conducted an internal review of the case and the wording of the press release,” before issuing the updated release, Boyd said.
“At present the investigation has not determined how [the] identity information used in this case was obtained and whether it can, in fact, be sourced directly to the OPM data breach,” Boyd said.