Feds Award Contract to Notify and Protect the 21.5 Million Victims of OPM Data Breach

The government also lined up a group of companies that it has cleared to provide data-breach services to any federal agency for the next five years.

Vehicles drive past the Theodore Roosevelt Building, headquarters of the Office of Personnel Management on June 5.
Bloomberg AFP/Getty
Sept. 1, 2015, 7 p.m.

Nearly three months after a pair of cy­ber­at­tacks at the Of­fice of Per­son­nel Man­age­ment were made pub­lic, the gov­ern­ment has awar­ded a con­tract to be­gin con­tact­ing 21.5 mil­lion in­di­vidu­als who have not been no­ti­fied that their per­son­al in­form­a­tion was com­prom­ised.

It is also lin­ing up a group of con­tract­ors to keep on call to provide cleanup ser­vices for fu­ture data breaches. Un­der an agree­ment an­nounced Tues­day, any fed­er­al agency will be able to call on one of the con­tract­ors to no­ti­fy and provide iden­tity-theft pro­tec­tion ser­vices to in­di­vidu­als af­fected by a data breach.

Two con­tract­ors are cleared to provide ser­vices to “pop­u­la­tions of sig­ni­fic­ant size,” and one is avail­able to provide “routine data-breach re­sponses.” The agree­ment is val­id for five years.

One of the con­tract­ors in the first group—Iden­tity Guard—has been tasked with a big job right out of the gate.

When OPM an­nounced in June that more than 4 mil­lion cur­rent and former fed­er­al work­ers had their per­son­al in­form­a­tion com­prom­ised by a cy­ber­at­tack, it began al­most im­me­di­ately to no­ti­fy the in­di­vidu­als and sign them up for iden­tity-theft re­sponse ser­vices.

But when the agency an­nounced the size of a second breach, which tar­geted a data­base that in­cluded more sens­it­ive in­form­a­tion—names, ad­dresses, So­cial Se­cur­ity num­bers, and more than a mil­lion fin­ger­prints—it did not have a pro­vider lined up to no­ti­fy the 21.5 mil­lion in­di­vidu­als whose in­form­a­tion was caught up in the at­tack, or to provide them with iden­tity-theft pro­tec­tion ser­vices.

That task now falls to Iden­tity Guard, which will send out the mil­lions of no­ti­fic­a­tions and deal with the en­su­ing call volume and ser­vice signups. The no­ti­fic­a­tions will “be­gin by the end of this month and con­tin­ue over the fol­low­ing weeks,” said Beth Cobert, OPM’s act­ing dir­ect­or, in a call with re­port­ers Tues­day.

The gov­ern­ment will pay $133,263,550 for Iden­tity Guard’s no­ti­fic­a­tion and pro­tec­tion ser­vices, which will be provided at no cost to the af­fected in­di­vidu­als. Re­cip­i­ents of gov­ern­ment no­ti­fic­a­tions are eli­gible for three years of cov­er­age—un­til the end of Decem­ber 2018—as are their de­pend­ent chil­dren who are un­der 18 years of age as of Ju­ly 1, 2015.

All 21.5 mil­lion people are im­me­di­ately covered with an iden­tity-theft in­sur­ance plan, and are eli­gible for iden­tity res­tor­a­tion, which they can use if their iden­tit­ies are stolen. They also have the op­tion to sign up for ad­di­tion­al free ser­vices such as cred­it and iden­tity-theft mon­it­or­ing.

“Mil­lions of in­di­vidu­als, through no fault of their own, had their per­son­al in­form­a­tion stolen, and we’re com­mit­ted to stand­ing by them, sup­port­ing them, and pro­tect­ing them against fur­ther vic­tim­iz­a­tion,” Cobert said in a state­ment. “And as someone whose own in­form­a­tion was stolen, I com­pletely un­der­stand the con­cern and frus­tra­tion people are feel­ing.”

The gov­ern­ment has not made a form­al at­tri­bu­tion for the cy­ber­at­tacks, but of­fi­cials have privately poin­ted at China, a claim that law­makers have echoed.

In a doc­u­ment draf­ted dur­ing the search for con­tract­ors to keep on call, the gov­ern­ment es­tim­ated that it would spend $500 mil­lion on data-breach cleanup in the next five years.

The first round of 4.2 mil­lion no­ti­fic­a­tions in June was handled by CSID, an­oth­er con­tract­or, which was cri­ti­cized for how it handled the pro­cess. Many fed­er­al work­ers re­por­ted long phone wait times and prob­lems with CSID’s web­site, is­sues which the con­tract­or said were made worse by an un­pre­ced­en­ted de­mand for its ser­vices.

While the typ­ic­al re­sponse rate for post-breach no­ti­fic­a­tions is less than 5 per­cent, Cobert said Tues­day that nearly a quarter of no­ti­fied in­di­vidu­als signed up for a CSID plan in June.

Rep­res­ent­at­ives of the mul­tia­gency task force that de­veloped the re­quire­ments for the con­tracts awar­ded Tues­day said they took in­to ac­count les­sons from the first round. This time, for ex­ample, no­ti­fic­a­tion emails will come straight from the De­fense De­part­ment—sent from a .gov or a .mil email ad­dress—rather than from a private con­tract­or’s .com email ad­dress, which is more dif­fi­cult to au­then­tic­ate.

What We're Following See More »
Trump Pulls the Plug on Infrastructure
1 hours ago
Tubman $20 Bill Won't Be Unveiled Next Year
1 hours ago
Parties Go to Court Today Over Trump Banking Records
2 hours ago
Eastern Virginia Medical School Cannot Say if Northam Was in Photo
2 hours ago
Attorney General Beshear Wins Right to Face Matt Bevin
2 hours ago

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.