Feds Award Contract to Notify and Protect the 21.5 Million Victims of OPM Data Breach

The government also lined up a group of companies that it has cleared to provide data-breach services to any federal agency for the next five years.

Vehicles drive past the Theodore Roosevelt Building, headquarters of the Office of Personnel Management on June 5.
Bloomberg AFP/Getty
Sept. 1, 2015, 7 p.m.

Nearly three months after a pair of cy­ber­at­tacks at the Of­fice of Per­son­nel Man­age­ment were made pub­lic, the gov­ern­ment has awar­ded a con­tract to be­gin con­tact­ing 21.5 mil­lion in­di­vidu­als who have not been no­ti­fied that their per­son­al in­form­a­tion was com­prom­ised.

It is also lin­ing up a group of con­tract­ors to keep on call to provide cleanup ser­vices for fu­ture data breaches. Un­der an agree­ment an­nounced Tues­day, any fed­er­al agency will be able to call on one of the con­tract­ors to no­ti­fy and provide iden­tity-theft pro­tec­tion ser­vices to in­di­vidu­als af­fected by a data breach.

Two con­tract­ors are cleared to provide ser­vices to “pop­u­la­tions of sig­ni­fic­ant size,” and one is avail­able to provide “routine data-breach re­sponses.” The agree­ment is val­id for five years.

One of the con­tract­ors in the first group—Iden­tity Guard—has been tasked with a big job right out of the gate.

When OPM an­nounced in June that more than 4 mil­lion cur­rent and former fed­er­al work­ers had their per­son­al in­form­a­tion com­prom­ised by a cy­ber­at­tack, it began al­most im­me­di­ately to no­ti­fy the in­di­vidu­als and sign them up for iden­tity-theft re­sponse ser­vices.

But when the agency an­nounced the size of a second breach, which tar­geted a data­base that in­cluded more sens­it­ive in­form­a­tion—names, ad­dresses, So­cial Se­cur­ity num­bers, and more than a mil­lion fin­ger­prints—it did not have a pro­vider lined up to no­ti­fy the 21.5 mil­lion in­di­vidu­als whose in­form­a­tion was caught up in the at­tack, or to provide them with iden­tity-theft pro­tec­tion ser­vices.

That task now falls to Iden­tity Guard, which will send out the mil­lions of no­ti­fic­a­tions and deal with the en­su­ing call volume and ser­vice signups. The no­ti­fic­a­tions will “be­gin by the end of this month and con­tin­ue over the fol­low­ing weeks,” said Beth Cobert, OPM’s act­ing dir­ect­or, in a call with re­port­ers Tues­day.

The gov­ern­ment will pay $133,263,550 for Iden­tity Guard’s no­ti­fic­a­tion and pro­tec­tion ser­vices, which will be provided at no cost to the af­fected in­di­vidu­als. Re­cip­i­ents of gov­ern­ment no­ti­fic­a­tions are eli­gible for three years of cov­er­age—un­til the end of Decem­ber 2018—as are their de­pend­ent chil­dren who are un­der 18 years of age as of Ju­ly 1, 2015.

All 21.5 mil­lion people are im­me­di­ately covered with an iden­tity-theft in­sur­ance plan, and are eli­gible for iden­tity res­tor­a­tion, which they can use if their iden­tit­ies are stolen. They also have the op­tion to sign up for ad­di­tion­al free ser­vices such as cred­it and iden­tity-theft mon­it­or­ing.

“Mil­lions of in­di­vidu­als, through no fault of their own, had their per­son­al in­form­a­tion stolen, and we’re com­mit­ted to stand­ing by them, sup­port­ing them, and pro­tect­ing them against fur­ther vic­tim­iz­a­tion,” Cobert said in a state­ment. “And as someone whose own in­form­a­tion was stolen, I com­pletely un­der­stand the con­cern and frus­tra­tion people are feel­ing.”

The gov­ern­ment has not made a form­al at­tri­bu­tion for the cy­ber­at­tacks, but of­fi­cials have privately poin­ted at China, a claim that law­makers have echoed.

In a doc­u­ment draf­ted dur­ing the search for con­tract­ors to keep on call, the gov­ern­ment es­tim­ated that it would spend $500 mil­lion on data-breach cleanup in the next five years.

The first round of 4.2 mil­lion no­ti­fic­a­tions in June was handled by CSID, an­oth­er con­tract­or, which was cri­ti­cized for how it handled the pro­cess. Many fed­er­al work­ers re­por­ted long phone wait times and prob­lems with CSID’s web­site, is­sues which the con­tract­or said were made worse by an un­pre­ced­en­ted de­mand for its ser­vices.

While the typ­ic­al re­sponse rate for post-breach no­ti­fic­a­tions is less than 5 per­cent, Cobert said Tues­day that nearly a quarter of no­ti­fied in­di­vidu­als signed up for a CSID plan in June.

Rep­res­ent­at­ives of the mul­tia­gency task force that de­veloped the re­quire­ments for the con­tracts awar­ded Tues­day said they took in­to ac­count les­sons from the first round. This time, for ex­ample, no­ti­fic­a­tion emails will come straight from the De­fense De­part­ment—sent from a .gov or a .mil email ad­dress—rather than from a private con­tract­or’s .com email ad­dress, which is more dif­fi­cult to au­then­tic­ate.

What We're Following See More »
SAYS HE CAN'T DO IT WHILE INVESTIGATIONS CONTINUE
Trump Pulls the Plug on Infrastructure
1 hours ago
THE LATEST
MNUCHIN ANNOUNCES EIGHT-YEAR DELAY
Tubman $20 Bill Won't Be Unveiled Next Year
1 hours ago
THE LATEST
ADMINISTRATION IS 0-FOR-1 ON STONEWALLING THIS WEEK
Parties Go to Court Today Over Trump Banking Records
2 hours ago
THE LATEST
AN OUTSIDE INVESTIGATION WAS CONDUCTED
Eastern Virginia Medical School Cannot Say if Northam Was in Photo
2 hours ago
THE LATEST
KENTUCKY GUV RACE COULD GET UGLY
Attorney General Beshear Wins Right to Face Matt Bevin
2 hours ago
THE DETAILS
×
×

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.

Login