The 21.5 million current and former federal employees who had their sensitive personal information accessed by Chinese hackers will have a new suite of protections from ID Experts, the Office of Personnel Management announced Tuesday.
The contract is worth more than $133 million, with options that could bring the full value to nearly $330 million.
OPM announced the provider of its identity protection services after weeks of evaluating its options for the breach that it announced earlier this summer. ID Experts will offer employees affected by the breach of their background checks — and their minor-aged children — three years of credit monitoring and identity theft protection as well as a $1 million identity insurance policy, all free of charge to the employees.
Notifications will start going out to the affected individuals with instructions on signing up at the end of the month, acting OPM Director Beth Cobert said in a call with reporters.
She also sought to assure federal employees that she understands their concerns, repeating that she, too, had her information stolen.
“I completely understand and share the concern and frustration people are feeling,” Cobert said. “We are doing all in our power to support those individuals victimized by this cybercrime.”
U.S. officials have blamed China for the cyberattack of OPM’s servers that compromised the most intimate details of millions of current, former and prospective government employees and contractors. The breach and resulting damage control resulted in the resignation of the previous director of OPM, after many lawmakers called for her firing.
The suspected motive was espionage, but experts say that doesn’t rule out the potential for identity theft, as well.
That said, Cobert told reporters there has to date been no indication of the information stolen in the breach being used.
“We have been working closely with the FBI and others to monitor the data and we have seen no evidence, they have seen no evidence, that the stolen data from the background investigation breach has been exploited,” Cobert said.
Though OPM announced the number of affected individuals in the background check hack in July, it has waited to announce who would be offering protections to those individuals for weeks — a stark contrast to the rapid-fire turnaround with which it awarded a contract for the first breach of its servers that it announced in June.
In that case, more than 4 million individuals were given 18 months of identity protection services and a $1 million identity insurance policy. But the speed at which OPM decided on a contractor — the request for proposals was only open three days — raised eyebrows on the Hill and among the employees being covered by the services.
In addition, the decision to notify affected individuals by email created concerns about further hacking attempts, the provider’s website was crashing in early days, and the call center handling inquiries about the services suffered hours-long wait times for concerned employees.
That contractor, CSID, was not selected by OPM for the bigger contract revealed Tuesday.
It remains to be seen if the new contract will satisfy Capitol Hill. All four senators from Maryland and Virginia have introduced legislation to increase the offerings to federal employees, calling the original contract inadequate. That bill called for lifetime protections and a $5 million insurance policy.
Amid the intense scrutiny, OPM took its time even putting together its request for proposal to protect the 21 million affected by the second breach, working with the Department of Defense and General Services Administration, and then took more time to evaluate the applications.
They also chose to do some things differently with the new contract. The length of services were doubled, to three years, and OPM will cover minor dependents of employees affected, “because of the nature of the information that was stolen,” Cobert said.
In addition, the emails this time around will come from addresses ending in .mil or .gov, to address fears that hackers could try to spoof notifications to steal even more information from unsuspecting victims.
The Defense Department will handle the notifications, not the contractor, Rear Adm. Althea Coetzee told reporters on the call. She said the government felt the Defense Department would be the only entity that had the adequate infrastructure to notify the 21.5 million individuals affected.
The Defense Department, in consultation with other agencies, also developed a set of security standards for the contractor to ensure the data turned over to them about the employees would be protected, and reserves the right to visit ID Expert’s facilities and check to make sure the “most stringent” requirements are being followed, Coetzee said.
It has been an embarassing year for federal cybersecurity, with the unclassified networks at the White House, State Department and Joint Chiefs of Staff all being hit by foreign hackers in addition to OPM.
Cobert wouldn’t say the agency is fully confident hackers have been fully eradicated from its systems, but said they will remain on guard.
“The team has reviewed the systems and has found no indication of adversary activity at this time,” Cobert said. “We will continue to be vigilant. We need to continue to be vigilant.”
