Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)

OPM Breach Notifications: 21.5 Million Are Still Waiting

Government Announces Bulk Buy of ID Theft, Breach Response Services
OPM Breach Notifications: 21.5 Million Are Still Waiting

The U.S. Office of Personnel Management has yet to issue breach notifications to 21.5 million individuals whose personal information was exposed during the agency's massive data breach (see OPM Struggles to Notify Breach Victims). But OPM officials say that the agency will finally begin issuing related notifications later this month and that all breach victims should receive alerts by sometime in October, including the option to enroll in three years of prepaid identity theft monitoring services.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

"We remain fully committed to assisting the victims of these serious cybercrimes and to taking every step possible to prevent the theft of sensitive data in the future," says Beth Cobert, who is serving as OPM's acting director, following former director Katherine Archuleta resigning July 10, about one month after OPM first announced news of the data breach on June 4. "Millions of individuals, through no fault of their own, had their personal information stolen and we're committed to standing by them, supporting them, and protecting them against further victimization. And as someone whose own information was stolen, I completely understand the concern and frustration people are feeling."

Both OPM and the U.S. Department of Defense announced Sept. 1 that a $133 million contract has been awarded - by the U.S. General Services Administration, an independent agency that oversees about $500 billion in federal assets - to Identity Theft Guard Solutions, which does business as ID Experts. The company will offer prepaid credit monitoring, identity monitoring, identity theft insurance and identity restoration services to the 21.5 million affected individuals - as well as their dependent minor children who were under the age of 18 as of July 1, 2015 - for a three-year period.

The move to notify the 21.5 million individuals follows OPM already notifying 4.2 million victims of what the agency called a "separate but related" hack attack that compromised federal employees' and contractors personnel records, which was first discovered in April, and which reportedly occurred in December 2014. The discovery of that incident led to the June 2015 discovery of the background-information theft, which reportedly began first with a May 2014 network intrusion, followed by attackers stealing massive amounts of data from July to August of that year. Many of the victims of the smaller breach were also victims of the background-investigation hack attack, OPM says.

Why the Breach is so Bad

The 21.5 million individuals' compromised information includes extremely personal details - sexual, financial, familial, medical - that they were required to share for background-check investigations, which are required to obtain or keep a security clearance (see Analysis: Why the OPM Breach Is So Bad).

In the wake of the breach, OPM, background-check provider KeyPoint Government Solutions, the Department of Homeland Security, as well as many current and former OPM officials - Archuleta included - have been named in multiple breach-related lawsuits, some of which seek class-action status (see OPM Sued Again ... This Time by a Judge). In general, the lawsuits allege that there were well-known cybersecurity and privacy problems of a serious nature that the agency should have rectified prior to the breach.

Blanket Purchase Agreement: ID Theft, Breach Response

But the next time a U.S. government agency suffers a massive data breach, it should at least be able to alert breach victims more quickly. That's because the General Services Administration also announced on Sept. 1 that it has awarded blanket purchase agreements, which encompass identity monitoring, as well as data breach response and protection services. "The BPAs will be available to agencies for the next five years and have an estimated value of $500 million," GSA says.

BPAs are designed to give federal agencies easy and quick access to supplies and services at a lower cost than if they had negotiated them on their own. "These BPAs give federal agencies access to a pool of well-qualified contractors capable of providing the services needed to mitigate potential damage to those affected by data breaches and other personnel security matters," GSA says.

"Now customer agencies can better protect the government's most valuable asset - federal employees - from potential damage caused by data breaches and other personnel security matters," says Denise Turner Roth, GSA's administrator.

GSA says that under the terms of these BPAs, there are two tiers of contractors: tier 1 contractors and contractor teaming arrangements that have experience in responding to data breaches that involve a significant number of people, as well as tier 2, which includes "contractors with general experience in providing routine data breach responses."

The tier 1 contractor is the aforementioned ID Experts, while the contractor teaming arrangement lead is Bearak Reports - doing business as Identity Force and also includes Total Systems Technologies. The Tier 2 award contractor teaming arrangement lead, meanwhile, is Ladlas Prince, and also includes Grove Street Investments and Catapult Technology.

"The BPAs were awarded based on these companies demonstrating the ability to successfully execute the [request for quotation's] requirements, fulfill the services contemplated under the BPAs and provide low pricing and aggregate volume discounts," GSA says.

The BPAs do nothing to address the reported cybersecurity deficiencies - and tight information security budgets - that plague numerous government agencies (see Is OPM Breach Just Tip of Iceberg?). But the next time current and former U.S. government employees and contractors' personal information gets stolen, and the breach gets discovered, then victims should more quickly receive related identity theft monitoring services.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.