Update: There is new information involving this case. Be sure to read the articles included in the links at the end of the article for further details.
There was some uncertainty surrounding what would be done with the stolen data of current and former federal employees from the data breaches that took place at the Office of Personnel Management in 2015. Now we have at least one example.
A Maryland woman pleaded guilty this week to participating in a scheme to use the stolen identification information of victims from the OPM data breaches according to an announcement from the Justice Department.
According to court documents, Karvia Cross, 39, of Bowie, participated in and recruited others to engage in a fraudulent identity-theft scheme targeting Langley Federal Credit Union (LFCU).
In 2015 and 2016, LFCU received numerous online membership and consumer loan applications in the names of stolen identities that were victims of the OPM data breach. LFCU approved and issued the requested memberships and loans prior to determining that they had been sought using the stolen personal identifying information of others.
LFCU disbursed loan proceeds via checks and transfers into the checking and savings accounts opened through these fraudulent applications. Vehicle loan proceeds were disbursed by checks made payable to individuals posing as vehicle sellers, while personal loan proceeds were disbursed to LFCU accounts opened in connection with the fraudulent loan applications and transferred to accounts of others. Cross and others then accessed and withdrew the fraudulently obtained loan proceeds.
Cross pleaded guilty to conspiracy to commit bank fraud and aggravated identity theft. She faces a maximum penalty of 30 years and a consecutive mandatory minimum of two years in prison when sentenced on October 26.
Actual sentences for federal crimes are typically less than the maximum penalties. A federal district court judge will determine any sentence after taking into account the U.S. Sentencing Guidelines and other statutory factors.
Speculation About Use of the Stolen Data
According to Reuters, the Justice Department has not yet announced how Cross obtained the data.
When the OPM data breaches were announced in 2015, it wasn’t clear if the stolen data were going to be used for commercial gain or it was espionage from China. A CNN report at the time said that China might be building a database to use for future attacks. China has denied any involvement.
Safeguarding Federal Employee Data
Lawmakers have been pushing to provide free lifetime identity theft protection to federal workers impacted by the OPM data breaches. Free protection has been provided but is currently scheduled to last through 2026. As of the time of this writing, this legislation has not advanced further.
A recent OPM Inspector General report said that OPM’s IT security is still not where it ultimately needs to be to protect the agency’s data, although improvements have been made.