Two class action lawsuits, in which federal workers claimed they were harmed when the U.S. Office of Personnel Management (OPM) exposed the personal data of 21.5 million people in 2014, can proceed, the D.C. Circuit Court of Appeals has ruled.
The case could have a significant impact on other cyber attacks that have targeted the federal government and involve the personal data of employees.
Quick backgrounder:
- In March 2014, Chinese hackers infiltrate the OPM's network. The agency believes it had successfully thwarted the attack and the incident is not disclosed to the public.
- In June 2014, The United States Investigation Services (USIS) disclosed a breach of 25,000 government employees’ personal information to the OPM. It is believed the USIS incident occurred around the same time as the OPM breach and was conducted by the same Chinese hackers.
- The following month the NY Times reported the cyber attack, the first time the public was told of the breach. The OPM immediately sent an email to federal employees informing them of the intrusion that occurred in March.
- In December, another breach was discovered at KeyPoint Government Solutions involving 48,000 federal workers.
- In April 2015, OPM detected a breach dating back to the previous December. Two months later it discovered another breach.
- By a final court, the number of people affected swelled to nearly 22 million former, current and prospective federal employees.
You can read a full timeline of the breach here.
The resulting lawsuits were combined into the class action complaints, both of which were subsequently waved off by a federal judge, who cited the lack of evidence by the plaintiffs to prove they’d been injured by the theft of their personal data. The D.C. Court of Appeals, however, suggested otherwise, contending that the cyber crimes had left federal workers vulnerable.
Personal information left exposed by the OPM for hackers to pilfer included social security numbers, birth certificates, fingerprints and addresses, a veritable pathway to potentially valuable cyber heists. Indeed, in the five years since the initial burglary, federal workers said they have been victimized by identity theft, credit card fraud and phony tax returns filed in their name, according to the lawsuit, The Hill reported.
"There is no question that the OPM hackers ... now have in their possession all the information needed to steal identities," the court wrote, in the ruling to allow the lawsuit to proceed. "Plaintiffs have alleged that the hackers stole Social Security numbers, birth dates, fingerprints, and addresses, among other sensitive personal information. It hardly takes a criminal mastermind to imagine how such information could be used to commit identity theft."
Some early reporting on the breaches pointed to the Chinese government as the perpetrators of the attack, suggesting it was part of an espionage campaign. But the appeals court summarily dismissed that notion, arguing that the lower court should not have given it any weight in its decision.
"As an initial matter, the district court should not have relied even in part on its own surmise that the Chinese government perpetrated these attacks," the appeals court said. (via The Hill) "Given that espionage and identity theft are not mutually exclusive, the likely existence of an espionage-related motive hardly renders implausible claim that they face a substantial future risk of identity theft and financial fraud as a result of the breaches," the court wrote.