It has been four years since hackers stole personal information from 22 million people through the Office of Personnel Management, and only now are we seeing concrete evidence that the data is being used in financial crimes.
A woman admitted in federal court this week that she used the identities of OPM breach victims to take out fraudulent loans through a federal credit union, as my colleague Rachel Weiner and I reported. It appears to be the first criminal case involving OPM data that the Justice Department has publicly disclosed.
The revelation could give new momentum to legislation seeking to provide better protection to the federal employees, retirees and others whose personal information was stolen from two government databases in 2014, and spur lawmakers to consider broader safeguards for victims of similar compromises.
“It’s a wake-up call,” said Rep. C.A. Dutch Ruppersberger (D-Md.), who has floated a bill to give lifetime identity-theft protection to victims of the breach. “You have a person who somehow got that data and information … and she’s trying to use false information to enhance herself. The good news is, we caught her. But there are many out there we haven’t found.”
According to court records, the woman was part of a group that used OPM data to take out car and personal loans at Langley Federal Credit Union in the names of the victims, then cashed loan checks or got wire transfers from the accounts they set up. She pleaded guilty Monday in federal court in Virginia to conspiracy to commit bank fraud and aggravated identity theft. Another defendant in the case admitted to the same charges last week.
Ruppersberger’s legislation, called the Recover Act, would apply to any current, former and prospective OPM employees whose data was compromised in the breach. Currently, OPM is required to offer identity theft protection coverage only through 2026.
That's clearly not enough, said Ruppersberger, who introduced the bill last month with Rep. Eleanor Holmes Norton (D-D. C.).
“Now that this information is out there it could be used 10, 15 years from now,” he told me. “The OPM breach was one of the biggest that we had in our government network, and a lot of our government employees were impacted. This [case] is an example of how serious this issue is.”
Chris Wysopal, chief technology officer at the cybersecurity firm CA Veracode, agreed that at the very least the victims would need lifetime credit monitoring “given the long tail” of the OPM hack. The hackers stole troves of personal information with “about as rich of a data record as you can get,” Wysopal said.
The huge heist included information such as Social Security numbers and past addresses, but also security-clearance files containing extensive details about friends, family, relationships and finances for a range of highly sensitive government jobs. U.S. officials have linked the hack to China — though they haven't formally attributed it to the government — and a Chinese national was accused in California last year of using the malicious software deployed in the hack.
How exactly the identity thieves got ahold of OPM information isn’t clear. According to court records, one of the people whose identity was stolen told investigators his or her personal information had been compromised in the hack on OPM, but a spokesman for the U.S. District Court for the Eastern District of Virginia would not elaborate on how the thieves may have accessed it.
Wysopal said it was unlikely that the people charged in the case had anything to do with the original OPM breach. He said the data could have surfaced in marketplaces on the “Dark Web,” where criminals could have purchased it for as little as $20 to $30.
No matter how they got it, the type of information stolen in the breach can’t be easily changed, giving it long-term value to a thief, said Jamie Winterton, a data breach expert and director of strategy for Arizona State University’s Global Security Initiative.
“Unlike a credit card” the bank can easily replace, she said, “this has staying power that can be exploited for years down the line.”
Right now, Winterton notes the burden of identity theft protection is on the victims of major breaches, including OPM and the massive hack on the credit-monitoring agency Equifax last year. While OPM, for instance, has offered victims a suite of protective services, including free credit monitoring, victims have been asked to periodically re-enroll -- sometimes after just one year as contracts with the providers of those services have expired. It's not clear how many people have done so.
“Given the frequency and severity of huge data breaches that expose sensitive personal information, it’s time for Congress to put some regulations in place that help protect the victims in a meaningful way,” Winterton said. “Once personal information is stolen, a company can’t retrieve it, and there are complex legal hurdles involved for a victim of identity theft. Lifetime credit monitoring and guaranteed legal assistance would be more fair and more meaningful to victims than a large fine levied on the corporation and a single year of credit monitoring.”