Witnesses appear before a House hearing on the OPM breach. Photo: Mark Wilson/Getty Images
In a reply to Senator Mark Warner's (D-VA) email attempting to cut through confusion, the Department of Justice said its June 18 press release, implying a Maryland woman somehow accessed data from the 2015 Office of Personnel Management breach, was a "regrettabl[e] ... premature conclusion."
Why it matters: The U.S. publicly accused Chinese spies of the massive breach in 2015, and arrested a Chinese national for his involvement. But a badly worded June 18 press release made it sound like 39-year-old Maryland resident Karvia Cross somehow had access to that data when she fraudulently applied for loans in the names of several OPM victims. The two stories seem incompatible — Chinese espionage wouldn't normally result in an American committing fraud.
"Because the victims in this case had other things in common in terms of employment and location, it is possible that their data came from another common source."— The DOJ to Sen. Warner
What the letter says: "A number of the victims of this scheme identified themselves to the Department of Justice as victims of the OPM data breach. However, at present, the investigation has not determined precisely how their identity information used in this case was obtained and whether it can, in fact, be sourced directly to the OPM data breach."
What's new here: The DOJ already tried to clean up the press release debacle by removing all reference to OPM from an updated press release, but had not suggested that Cross used alternate methods to access the same information, including alternate lists of employer or residential data from different, but overlapping, lists.
Axios's Codebook newsletter mentioned this was a possibility last week.
Editor's note: This story has been corrected to fix an inadvertent transcription error that led us to omit the word "not" from the Department of Justice quotation.