Jul 3, 2018

How a loan scammer clouded the OPM breach's China link

Legislators at dais under a giant Seal of the United States

The House Oversight hearings on OPM in 2015. Photo: Mark Wilson/Getty Images

Last month, Maryland resident Kavira Cross pleaded guilty to applying for fraudulent loans using personal information stolen in the 2015 U.S. Office of Personnel Management breach. The plea immediately raised some uncomfortable questions about the OPM breach, in which 21 million Americans' personal information was stolen.

The big picture: The U.S. attributed the breach to a Chinese intelligence operation. But surely China would not have orchestrated an attack on a federal agency just to help an American woman defraud a credit union? Here's where it's important not to jump to conclusions.

Why it matters: It's hard to look at the Cross plea without wondering about the attribution. "All prior public information was that this data breach was caused by Chinese hackers,” Sen. Mark Warner (D-Va.) wrote in a July 21 letter to the Justice Department. “Yet, according to the DOJ, this information is now in the hands of U.S. residents for illicit use, and may have been as early as 2015."

The U.S. has even arrested a Chinese national last year in the case. If Cross, rather than China, had hacked OPM — again, please don't jump to this conclusion — the U.S. would pay a big price in lost credibility. But experts say there are other explanations in play.

The background: Some of this confusion is of the Department of Justice's making.

  • The original June 18 DOJ press release about the Cross case said she had "participat[ed] in a scheme to use the stolen information of victims of the [OPM breach]." It read to many like the scheme involved either stealing or purchasing stolen OPM records.
  • Three days later, after confusion began to mount, the DOJ scrubbed the press release of any mention of OPM. But a note explain the change didn't answer many of the fundamental questions: "Numerous victims of the [Langley Federal Credit Union] identity theft fraud also identified themselves to DOJ as victims of the OPM Data Breach. The Government continues to investigate the ultimate source of the [personal information] used by the defendants and how this [personal information] was obtained. "

Be smart: "The story is weird, and we don’t know the provenance of the data," cautioned Toni Gidwani, director of research operations at ThreatConnect. "We’re in a space where there are multiple, plausible explanations for how she got the data."

  • Criminals tend to use current events as lures in phishing attacks designed to get people to give up personal information. In fact, in 2015, the Department of Homeland Security's U.S. Computer Emergency Readiness Team warned about phishing attacks related to the OPM theft.
  • OPM, as its name implies, stores data on federal employees and those who applied for federal jobs. Any stolen data set rich in names of current and former federal employees — even, say, a list of Northern Virginia residents — might have significant overlaps with the OPM breach data.
  • It's way too early to question the China attribution, said Gidwani and other experts.
Go deeper