OPM notifies 3.7 million cyber attack victims about data protection services

The Office of Personnel Management has mailed out 3.7 million notification letters to cyber breach victims in the month since the agency announced it would begin notifying those impacted by the hack.

An OPM spokesperson told Federal News Radio in an email that the agency expects to mail an additional 700,000 letters by the end of the month, with a total of 10 million letters mailed by mid-November. The letters include information about free identity theft protection and credit monitoring services. About 162,000 people have enrolled for the services as of Oct. 26, which is “on par with industry standard” the spokesperson said.

More than 21 million people were affected by the data breach, which jeopardized personal data including birthdates and Social Security numbers. About 25 percent of those victims also had their fingerprints stolen.

Register now: Join Tonya Ugoretz, director of Cyber Threat Intelligence Integration Center for a free online chat on Tuesday, October 25 at 1 p.m.

The number of people who have taken up the offer for free services doesn’t surprise David Parker, director of the Center for the Study of Fraud and Corruption at Saint Xavier University.


“A lot of consumers and many consumer protection groups are really lukewarm, even hostile, to such services,” Parker said.

Parker said sometimes all a monitoring service does is serve as a Band-Aid. It doesn’t prevent a crime, it just lets a person know more quickly that there’s an issue.

Parker said it’s important for those people impacted by the cyber breach to do comparisons between monitoring services, to see if other services provide additional monitoring not included in the one provided by ID Experts, the company awarded the contract to provide the protection services.

“Hopefully with the federal government, [the monitoring service] is going to be legitimate, but what are they really offering,” Parker said. “People need to be sure and read and understand the product: are they providing daily, weekly, monthly credit reporting. The best services provide daily or at best real-time reporting.”

But Parker urged victims not to ignore the offerings.

“It’s a good thing, I would certainly recommend signing up for it,” he said. “But don’t sit here and think you’re 100 percent protected. You need to take care of yourself as well, take responsibility for your own financial health.”

Sample letters posted on OPM’s website explain to breach victims what information might be included in background investigation forms, as well as the information that could show up if someone’s spouse or partner filled out a background investigation form.

The standard letter states:

  • If you applied for a position or submitted a background investigation form, the information in our records may include your name, Social Security number, address, date and place of birth, residency, educational, and employment history, personal foreign travel history, information about immediate family as well as business and personal acquaintances, and other information used to conduct and adjudicate your background investigation.
  • If your information was listed on a background investigation form by a spouse, or co-habitant, the information in our records may include your name, Social Security number, address, date and place of birth, and in some cases, your citizenship information.

The letter for people who had their fingerprints stolen states:

  • While we are not aware of any misuse of your information, we are providing a comprehensive suite of identity theft protection and monitoring services,” the letters state. “We are offering you and any of your dependent children who were under the age of 18 as of July 1, 2015, credit monitoring, identity monitoring, identity theft insurance and identity restoration services for the next three years through ID Experts, a company that specializes in identity theft protection. The identity theft insurance and identity restoration service coverage has already begun. You have access to these services at any time during the next three years if your identity is compromised.

A request for comment from ID Experts was not immediately returned, but a notification on its website states that the company estimates “notifications will continue to be made over a period of 12 weeks through the beginning of December. If you believe you should receive a letter and have not received it yet, please be patient.”

OPM has been working with the Department of Defense since the second major breach was made public in July. In early October the Defense Information Systems Agency awarded a $1.8 million contract to Advanced Onion Inc. to help find and notify the millions of victims through a website that users check by cross checking personal data by securely logging into  a site run by the Defense Manpower Data Center (DMDC).

Cobert, who stated in her Oct. 1 email that her information was stolen, also asked for patience from victims.

“We’re committed to getting this right,” she said. “However, given the sensitive nature of the database that was breached — and the sheer volume of people affected — we are all going to have to be patient throughout this notification process.”

Read all of Federal News Radio’s coverage of the OPM Cyber Breach.