Many Questions Remain About the Services That Will Be Provided to Hack Victims

The Obama administration has not yet selected a contractor to provide a “suite of services” to the 21.5 million individuals affected by the hack of background investigation details maintained by the Office of Personnel Management, nor does it know how much the services will cost.

White House Press Secretary Josh Earnest said at a Friday briefing OPM was “working diligently” to identify exactly who was impacted by the breach of data, which included Social Security numbers; health, criminal and financial histories; information about family and personal relationships; and other personal details. When OPM announced the specifics of the background investigation hack on Thursday, it said those affected would receive notifications “in the coming weeks.” 

Once the individuals are identified, “there will be an effort after that to locate those individuals and communicate to them the kind of risk that they face,” Earnest said. He added OPM is “going to work quickly” to select a contractor, but noted the importance of choosing one capable of the enormity of the task ahead.

He said there is no deadline for making the selection, but OPM is “working very aggressively” to do it as quickly as possible.

OPM awarded Winvale -- which in turn provided CSID’s services -- with the more than $20 million contract to give credit monitoring and identity theft insurance to victims of the initial hack of OPM personnel files, which included 4.2 million current and former federal employees.

The related, but separate, data breach affected five times that number, and OPM has said it will provide a more comprehensive package of benefits to those individuals, making the likely value of the new contract far greater than that of the original. That more comprehensive package will include full service identity restoration support and victim recovery assistance, identity theft insurance, identity monitoring for minor children, continuing credit monitoring and fraud monitoring services beyond credit files. Whereas OPM offered just 18 months of protections to the former and current federal workers affected in the initial hack, it will provide “at least” three years of services to those impacted by the second breach.

CSID received significant criticism for its handling of notifications and customer service for those affected by the initial hack, with federal employee groups complaining of long wait times and emails coming from a seemingly untrustworthy source rather than a dot gov address.

“It is not yet clear how OPM can handle this massive increase, when they were already struggling with the initial 4.2 million,” said William Dougan, president of the National Federation of Federal Employees.

Asked how the new contractor will deal with far larger volume of inquiries and customers, the White House’s Earnest said victims should refer to OPM’s Web portal, opm.gov/cybersecurity.

The White House would not rule out offering lifetime credit monitoring to federal employees or possibly everyone affected by the hacks. Earnest said the administration will review a proposal put forward in the Senate to that effect. Prior to her resignation, outgoing OPM Director Katherine Archuleta said OPM would put forward a proposal to give all federal employees free credit and identity theft monitoring “to ensure their personal information is always protected.”

Should OPM need additional funding to implement the necessary changes in response to the hack, as Archuleta previously indicated, Earnest said he expects the appropriation to be greeted with the same “passion and zeal” with which lawmakers initially responded to news of the hack.

“If that requires additional funding, we will certainly look forward to the strong bipartisan support it should have,” Earnest said.

He also said the recent targeting of federal employees by U.S. adversaries should not discourage potential applicants from federal service, as the breaches are simply part of a new reality. The government will never claim its work on cybersecurity is finished, he said, as the threats are “ever evolving.” 

(Image via LDprod / Shutterstock.com)