Government employees are still waiting to see whether the federal government will compensate them for losing their most personal data in the 2015 cyber breach of the Office of Personnel Management, which saw hackers make off with financial, family and other sensitive information on roughly 22 million people.
A class-action lawsuit on behalf of the employees has been churning through a federal court in Washington, D.C., for roughly two years, where first the Obama administration and now the Trump administration say the employees can’t prove the data breach has caused them any injury.
Nearly everyone who has held or applied for a federal job over the last three decades had information stolen.
The employees are demanding compensation for both past and potentially future identity theft, but government lawyers say there’s no evidence the information stolen has actually been used.
“Plaintiffs do not plead any facts showing that these disparate harms — which range from unauthorized charges on credit cards to the filing of fraudulent tax returns to the misuse of a Social Security number — are attributable to any data breach, let alone the OPM data breaches,” OPM’s lawyers said in a motion asking the court to toss out the lawsuit.
The hack itself exposed major problems in the government’s cyber infrastructure, and the government is already paying tens of millions of dollars in credit monitoring for those whose information was snared.
OPM revamped its cybersecurity protection with new tools since the 2015 breach, and enacted a two-factor authentication log in for employees in order to increase security. It also created a position for a cyber security adviser to report directly to OPM’s director.
Federal authorities have signaled they believe the hackers had links to the Chinese government, though China has denied involvement.
The FBI last week arrested Yu Pingan, a Chinese man authorities said went by the hacker name GoldSun, and who the FBI said sold malware, including Sakula. News reports say Sakula was linked to the OPM hack.
The employees suing OPM say they want the government to pay for economic injuries and provide free lifetime identity theft protection services. They also want OPM to implement an updated security plan.
U.S. District Judge Amy Berman Jackson is considering the government’s motion to dismiss the case for lack of a provable injury.
Judge Jackson sent both sides back this month to submit briefs after an appeals court ruling in another data breach case against CareFirst BlueCross BlueShield, which saw data on 1.1 million customers hacked.
Christopher Hikida, an attorney for Girard Gibbs LLP, which is the firm representing the employees against OPM, said the new round of filings was usual when another case could shed light on important legal issues.
“One thing that we have been telling people is that there is nothing they have to do at this point, but in the meantime to preserve any documents that they have regarding the breach of any identity theft or fraud they’ve experienced,” said Mr. Hikida.
In testimony months after the hack became public, then-Director of National Intelligence James Clapper said the hack wasn’t a cyberattack, because information wasn’t destroyed or manipulated. Instead, it was a theft — the data was stolen.
Mr. Clapper said there was no evidence the data had been used, which could bolster the government’s case that the employees who had their information stolen haven’t suffered any specific harm.
Paul Rosenzweig, a law professor at George Washington University, said it is very difficult to prove who actually was behind the hack.
“Attribution is notoriously hard to accomplish. And most of how we do it is through circumstantial evidence and inference,” Mr. Rosenzweig said.
But Peter Swire, a law professor at Georgia Institute of Technology, said he’s confident it was China based on what he has seen in public reports. He said a nation-state like China would have hacked OPM in order to detect under cover agents, use information for blackmail and to put pressure on federal employees.
Mr. Swire said it’s been difficult to link a data breach to an individual’s identify theft and the federal courts have split on how strong the link and evidence must be for a plaintiff to succeed.
“The federal judge doesn’t have expertise in what China’s role has been or might be in the future. They don’t have special technical knowledge,” said Mr. Swire.
• Alex Swoyer can be reached at aswoyer@washingtontimes.com.
Please read our comment policy before commenting.