Jeff Wasserman/

Some OPM Hack Victims Will Wait Four Months to Receive Notifications

Up to 6.3 million children of 21.5 million hack victims could also qualify for protection services.

The 21.5 million individuals whose background investigation data was compromised in the Office of Personnel Management database hack will have to wait up to four months to find out they were impacted by the breach, according to details of the pending contract the government sent out to contractors on Tuesday evening.

Naval Sea Systems Command, in coordination with the General Services Administration and the Office of Personnel Management, issued a request for quotes on GSA’s eBuy Web portal Tuesday, when it was obtained by Government Executive. The RFQ spells out exactly what the government expects from the company that eventually wins the contract, and asks for bidders to make their best offers given those parameters.

The winning bidder will be expected to deliver the “bulk” of notifications “within the first weeks” of receiving the award, NAVSEA said in the request, but the larger window will allow the government “the time needed to ensure due diligence in obtaining valid addresses to reach the impacted population.” NAVSEA expects the contractor to be prepared to accept enrollments in the credit monitoring and identity theft protection services and to respond to victims’ questions within two weeks of the award.

NAVSEA is not expected to make its award until the end of August, meaning the last notifications will not go out until four months from now, five months from the time breach details were made public, six months from the time OPM became aware of the hack and 18 months since the hackers first infiltrated the data.

As part of the suite of services the government is offering to hack victims -- which includes former and current federal employees, contractors, applicants and family members -- the selected contractor will provide identity theft monitoring for dependent minors of hack victims. NAVSEA estimated this could include up to 6.3 million children. Even if the dependents’ names were not listed on the SF-86 form at the center of the breach, the family impacted by the breach could opt to enroll them in the services.

Nearly one in four victims of the initial hack involving OPM’s personnel files of current and former federal employees enrolled in the services offered to them by CSID. If that ratio holds for this hack, as GSA and OPM have speculated it could, the contractor could be on the hook for providing protection services to nearly 7 million individuals.

Those services will include:

  • Credit monitoring and the delivery of credit reports from all three nationwide credit agencies;
  • Identity monitoring, including but not limited to “monitoring of the Internet and monitoring database sources including criminal records, arrest records, bookings, court records, pay day loan, bank accounts, check databases, sex offender, change of address, and Social Security number trace;”
  • And identity restoration, to assist the individuals in getting back to where they were prior to the identity theft, with services including “counseling, investigation, and resolving identity theft issues.”

The contractor will also have to establish call centers that operate 24 hours per day, seven days per week for the first six months following the award. Subsequently and until the end of the contract -- through December 31, 2018 -- the call center must be open 5 a.m. through 5 p.m. Pacific Time, Monday through Saturday.

The call center was a major point of contention in the first breach, when CSID fielded numerous complaints from lawmakers and federal employee advocates that wait times were too long and customer service was poor. This contract will require the vendor to have an automated response that allows callers to authenticate themselves using a touchtone device.

Among the deliverables the contractor will have to provide to the government will be reports on the continuous monitoring of its systems, to ensure no breaches occur.

Also on Tuesday evening, GSA issued an RFQ for a blanket purchase agreement. The BPA will enable GSA to pre-qualify vendors to provide protection services when hacks of government data occur in the future. GSA estimated the value of those future contracts to be worth $500 million over the next five years.

Contractors interested in pursuing the more immediate contract, or participating in the BPA, must submit their quotes to NAVSEA or GSA by August 14. 

(Image via Jeff Wasserman/