OPM breach protection services on the way for 21.5M victims

The contract for identity theft and credit protection services for OPM breach victims has been awarded, but protection notifications will not be going out to OPM victims until later this month.

Acting director of the Office of Personnel Management (OPM), Beth Cobert, announced on Tuesday that a contract has been awarded to Identity Theft Guard Solutions LLC, which does business as I.D. Experts, to provide identity theft and credit protection for those affected by the OPM breach.

The contract is valued at approximately $133 million, and will provide up to three years of protection for the 21.5 million people affected by the breach, as well as any dependents who were still minors as of July 1, 2015.

"We remain fully committed to assisting the victims of these serious cybercrimes and to taking every step possible to prevent the theft of sensitive data in the future," Cobert said. "Millions of individuals, through no fault of their own, had their personal information stolen. And we're committed to standing by them, supporting them and protecting them against further victimization."

The U.S. General Services Administration also announced a five-year, $500 million deal with I.D. Experts for government-wide Federal Supply Schedule Blanket Purchase Agreements (BPAs) for identity monitoring, as well as data breach response and protection services. This means protection services should be made available much faster in the event of another federal data breach.

The OPM breach was first announced on June 4, 2015, although the breach itself took place in April and was discovered in May. Cobert said notifications of protection service sign-ups will go out by the end of this month. It is unclear when or if the 21.5 million victims of the breach were notified that personal information from background-check applications was stolen.

OPM did not respond to requests for information at the time of this post, but Cobert did try to reassure victims during a press conference held on Tuesday.

"As someone whose own information was stolen, I completely understand the concern and frustration people are feeling," Cobert said. "I am sorry about the concern this breach has caused and want to assure everyone impacted that we are doing everything in our power to support those individuals impacted by this cybercrime."

Jason Polancich, founder and chief architect of SurfWatch Labs Inc., based in Sterling, Va., said the response to the OPM breach has been far too slow, especially in light of President Obama's proposed Personal Data Notification & Protection Act, which called for companies to alert customers within 30 days of a data breach.

"The proposed breach notification rules show how far removed our policymakers are from what is actually      happening, and they are further evidence of how clueless the government is in trying to keep up with this massive problem," Polancich said. "The fundamental system of government is about latency. Cybersecurity moves fast and it's only getting faster. Our government, now and in future, is slow."

Next Steps

Learn more about legal obligations surrounding cloud data breach notifications

Dig Deeper on Data security breaches