Cybersecurity

OPM begins mailing notifications to data breach victims

The millions of federal employees, contractors and others who have been waiting to find out whether their information was stolen during the Office of Personnel Management (OPM) data breach will soon have answers.

The OPM began mailing notification letters to the 21.5 million individuals impacted by the breach this week, alerting them that their data was compromised and describing the suite of identity protection services they will receive for three years.

{mosads}The letters will also indicate whether an individual was one of the 5.6 million whose fingerprint data was taken as part of the heist.

The personnel agency came under fire last week when it revealed that it underestimated the number of fingerprints stolen by about 4 million.

The timeline of the notification process has been under intense scrutiny. Because the company tapped to help the victims did not win its contract until two months after the breach was revealed, some people may not find out their data was taken until as late as November.

“We still don’t know: Has everybody who has been potentially impacted been notified?” Rep. Will Hurd (R-Texas) demanded earlier this week. 

“One of the forms you use in the background investigations is 100 or so pages. If you had a security clearance and your neighbors were interviewed, your neighbors’ Social Security numbers and details were included. If you were married and let’s say you got divorced, was that divorced spouse notified?” said Hurd, the chairman of the new House Oversight Subcommittee on Information Technology. 

OPM acting Director Beth Cobert called for patience throughout the notification process, which she warned could take “considerable time.”

“I understand that many of you are frustrated and concerned, and would like to receive this information soon. My personal data was also stolen in this breach, and I am eager to get my notification letter as soon as possible so that I can sign up for these services,” Cobert wrote.

“However, given the sensitive nature of the database that was breached — and the sheer volume of people affected — we are all going to have to be patient throughout this notification process.”

The notifications are part of a $133 million contract awarded to ID Experts, doing business as Identity Theft Guard Solutions.

The contractor will be under close scrutiny after the firm selected to handle the first, smaller OPM breach — which compromised roughly 4.2 million personnel files — faced fierce criticism from federal workers and lawmakers.

Critics lambasted contractor CSID for having a website that crashed easily and lengthy phone waits to speak to a representative. Affected individuals were also critical of notification emails from CSID addresses that many people mistook for a scam.

Cobert said in her letter that this round of notifications will be sent via the U.S. Postal Service. 

“Email will not be used,” Cobert wrote.