The American Federation of Government Employees (AFGE) filed suit Monday against the Office of Personnel Management (OPM), two of its top officials and an agency contractor over the cyber theft of employees’ personal information.
The lawsuit says OPM Director Katherine Archuleta and Donna Seymour, OPM’s chief information officer “repeatedly failed to comply with federal law and make the changes required by the OIG’s (Office of Inspector General) annual audit reports” on cyber security programs.
Earlier this month, OPM announced that 4.2 million files, including names and Social Security numbers of current and former federal employees, had been hacked. Another breach involved the records of employees and contractors seeking security clearances. OPM has not announced the number of individuals whose information was stolen in that attack.
Keypoint Government Solutions is a private company OPM uses to perform background investigations of security clearance candidates. AFGE named the company as a defendant because it was the target of a cyber attack in December and “Archuleta and the OPM identified the misuse of a KeyPoint user credential as the source of the breach” the agency currently is investigating, says the class action lawsuit filed in federal district court.
“The combination of KeyPoint’s cyber security weaknesses and the OPM’s cyber security failures caused the massive scope of the OPM Breach,” according to AFGE.
AFGE requested a jury trial. It also asked the court to award “appropriate relief, including actual and statutory damages,” but did not ask for a specific dollar amount.
“AFGE will not sit idly by while OPM fails to comply with the most basic requests for information or provide an adequate response …” said a statement from AFGE President J. David Cox Sr., Secretary-Treasurer Eugene Hudson Jr., and Vice President for Women and Fair Practices Augusta Y. Thomas. “Since the agency is unwilling to provide adequate assistance, AFGE is taking unprecedented steps to gather more information for our members and hold the agency accountable.”
The lawsuit comes on the heels of a letter 18 Republican House members sent to President Obama asking him to remove Archuleta and Seymour from their positions.
OPM had no immediate reaction to the lawsuit and KeyPoint could not be reached for comment.
At a House Committee on Oversight and Government Reform Committee hearing last week, however, Eric Hess, KeyPoint’s president and CEO said “we have seen no evidence suggesting KeyPoint was in any way responsible for the OPM breach. There have been some recent media reports suggesting that the incursion into KeyPoint’s system last year is what facilitated the recently-announced OPM breach. There is absolutely no evidence that KeyPoint was responsible for that breach.”