In one day in December 2015, Marlon McKnight opened a bank account, a savings account and applied for a vehicle loan at the Langley Federal Credit Union in Virginia, according to court records. McKnight supplied a name, birthdate and Social Security number to open the accounts.

The information McKnight supplied was not his.

And so began what appears to be the first illicit use of federal employee data that was swiped by suspected Chinese hackers in 2015, creating a cloud of mystery that has sparked the attention of members of Congress.

McKnight pled guilty June 11 to identity theft and bank fraud using stolen information from a 2015 hack on the U.S. Office of Personnel Management.

In that hack, Chinese hackers are suspected of breaching the government agency’s digital defenses and obtaining records of more than 21 million federal workers. It is one of the largest and most embarrassing breaches of government data in American history. Everything from Social Security numbers to employment to health history was compromised.

Until now, experts believed that the Chinese government used the stolen data for its own purposes. But the June plea has created new questions over exactly who has access to the swiped details, and how it is being used.

Since 2015, the federal government has said that “there was not a risk of domestic use of this information for criminal or fraudulent purposes,” wrote Sen. Mark Warner, D-Va., in a June 21 letter to the government. But Warner said that the case “calls this assumption into question,” and called the lack of information from OPM and the Department of Justice “unacceptable.”

“I believe further details about how the defendants obtained the (stolen data) could be useful for the purposes of protecting victims of the breach from further criminal activity,” wrote Rep. Gerry Connolly, D-Va., in a June 26 letter.

On June 21, Joshua Stueve, a spokesperson for the Eastern District of Virginia, said in a statement that “the government continues to investigate the ultimate source of the (stolen data) used by the defendants.”