DOJ backtracks on linking OPM hack to fraud case

The Justice Department said it jumped the gun with a June press release that linked recent bank loan fraud cases to the 2015 cyber heist of federal employee data from the Office of Personnel Management, which is generally attributed to the Chinese government.

In a letter to Sen. Mark Warner (D-Va.), Assistant Attorney General Stephen Boyd said the press release jumped to a "premature conclusion" when it said data from the OPM breach was used by fraudsters who applied for and opened bogus loans at the Langley Federal Credit Union.

In mid-June, Karvia Cross pleaded guilty in Virginia to one count of identity theft and conspiracy to commit bank fraud in 2015 and 2016, according to the June press release from the U.S. Attorney's Office for the Eastern District of Virginia. DOJ said several others were charged along with Cross in their efforts to leverage stolen identity data to open fake accounts at the credit union in Northern Virginia.

Federal prosecutors said the personal data the alleged thieves used was filched in the massive OPM breach, which exposed sensitive data on over 20 million people.

However, Boyd explained to Warner that the attribution was not accurate. He said the investigation has yet to determine where the alleged fraudsters got their data.

The data they used, he said, shared commonalities with OPM data, and "several" of the victims in the credit union scam identified themselves as victims in the OPM breach. However, he said, investigators have not yet concluded where the data in the credit union case originated.

"Because the victims in this case had other things in common in terms of employment and location," Boyd said of the credit union investigation, "it is possible that their data came from another common source."

When the story broke, observers were at a loss to explain how data stolen in what is widely presumed to be a state-sponsored intelligence operation would have found its way into a small-time loan fraud operation. Investigators are still at work trying to determine what that source was, Boyd said.

Boyd also said the original June press release from the Attorney's Office for the Eastern District of Virginia that linked the OPM breach and credit union cases is being revised.