US Fraudster Pleads Guilty to Using OPM Breach Data

US Fraudster Pleads Guilty to Using OPM Breach Data

A US woman has pleaded guilty to using data stolen in the notorious 2015 OPM breach to secure fraudulent loans.

Karvia Cross, 39, of Bowie, Maryland, pleaded guilty to conspiracy to commit bank fraud and aggravated identity theft and could theoretically face anything from two to 30 years behind bars.

She is said to have helped mastermind a wide-ranging fraud campaign, using OPM breach victims’ stolen identities to obtain personal and vehicle loans from Langley Federal Credit Union (LFCU).

“LFCU disbursed loan proceeds via checks and transfers into the checking and savings accounts opened through these fraudulent applications,” the Department of Justice explained. “Vehicle loan proceeds were disbursed by checks made payable to individuals posing as vehicle sellers, while personal loan proceeds were disbursed to LFCU accounts opened in connection with the fraudulent loan applications and transferred to accounts of others.”

Cross and others then withdrew the fraudulently obtained funds, the DoJ said.

Co-defendant Marlon McKnight pleaded guilty to the same charges on June 11.

The revelations are interesting as up until now the US government has blamed China for the devastating attack on the Office of Personnel Management. Some 22.1 million current and former US officials and their friends and family were caught in the breach, which included information on security clearance “background investigations” for military and intelligence roles.

That led many to speculate that foreign agents had co-ordinated the hack to obtain information which could be used to blackmail, coerce and intimidate US personnel and potentially even recruit spies.

It’s somewhat unusual therefore that the same data found its way presumably onto the cybercrime underground where fraudsters like Cross could access it, although there’s no official confirmation of this.

The breach itself was said to have been made possible after hackers stole credentials from a government contractor, something that could have been avoided with stronger security processes and implementation of multi-factor authentication.

Source: Information Security Magazine