The largest federal employee union this week filed a class-action lawsuit against the US Office of Personnel Management, its director and CIO, and a government service provider following the theft of personally identifiable information of at least 4 million employees by a cyberattack.
The American Federation of Government Employees filed the suit June 29 in the US District Court in Washington DC against OPM, Director Katherine Archuleta, CIO Donna Seymour and KeyPoint Government Solutions—a firm providing background investigations.
The AFGE, which represents 650,000 federal government civilian employees, alleges that despite being “on notice of significant deficiencies in its cyber security protocol” since at least 2007, OPM failed to protect the personal data it held. It says, citing news reports and unnamed US officials, that up to 18 million federal applicants’ personnel and security files were affected by the breach.
In early June OPM said it was sending notices to 4 million federal employees. OPM posts federal job openings, conducts background checks and security clearances, manages pension benefits for retired employees, administers health insurance and other insurance programs to employees, and provides training and development programs for employees and government agencies.
“Despite putting government employees and their loved ones at significant personal and financial risk, OPM has failed to reveal the full scope of who was specifically impacted by the data breach and the extent of the information taken,” said an AFGE statement. “Additionally, the credit monitoring services that OPM provided have not only fallen short, but actually created more potential security risks for employees.
“AFGE is working with its members to ascertain the breadth of the breach and obtain feedback on OPM’s response. Since the agency is unwilling to provide adequate assistance, AFGE is taking unprecedented steps to gather more information for our members and hold the agency accountable.”
Since the cyberattack, Archuleta has come under fire and has said the office’s computer systems are old and outdated.
The AFGE claims Seymour failed to comply with changes required by the OPM’s Office of Inspector General over a period of years and that this latest cyberattack was not OPM’s first. Late last year Colorado-based KeyPoint, hired by the OPM, said it suffered a data breach. The OPM said it had no evidence employee personal information was taken but it still notified nearly 50,000 federal workers of the breach—later determined to be caused by the misuse of credentials by an employee.
“Since 2007, officials at OPM have been alerted to their lackluster data security policies and protocols and failed to take appropriate steps to safeguard the information,” said the statement. “Although they were forewarned about the potential catastrophe that government employees faced, OPM’s data security got worse rather than better.”
AFGE said members of the proposed class “suffered and will continue to suffer actual damages and pecuniary losses,” and it is seeking compensation for these costs, injunctive relief, implementation of stronger cybersecurity standards, credit monitoring “for a sufficient period of time,” and identity-theft insurance.
The union cites experts who have said the services offered by OPM were not enough to protect those affected by the breach and cybercriminals quickly duplicated emails sent from OPM to employees, which offered credit-monitoring services.