The Office of Personnel Management has mailed out 3.7 million notification letters to cyber breach victims in the month since the agency announced it would begin notifying those impacted by the hack.
An OPM spokesperson told Federal News Radio in an email that the agency expects to mail an additional 700,000 letters by the end of the month, with a total of 10 million letters mailed by mid-November. The letters include information about free identity theft protection and credit monitoring services. About 162,000 people have enrolled for the services as of Oct. 26, which is “on par with industry standard” the spokesperson said.
More than 21 million people were affected by the data breach, which jeopardized personal data including birthdates and Social Security numbers. About 25 percent of those victims also had their fingerprints stolen.
The number of people who have taken up the offer for free services doesn’t surprise David Parker, director of the Center for the Study of Fraud and Corruption at Saint Xavier University.
Insight by ProPricer: Emily Murphy, former GSA administrator, and Angela Styles, former OFPP administrator, discuss what updates to the mentor-protégé program mean for small and large businesses.
“A lot of consumers and many consumer protection groups are really lukewarm, even hostile, to such services,” Parker said.
Parker said sometimes all a monitoring service does is serve as a Band-Aid. It doesn’t prevent a crime, it just lets a person know more quickly that there’s an issue.
Parker said it’s important for those people impacted by the cyber breach to do comparisons between monitoring services, to see if other services provide additional monitoring not included in the one provided by ID Experts, the company awarded the contract to provide the protection services.
“Hopefully with the federal government, [the monitoring service] is going to be legitimate, but what are they really offering,” Parker said. “People need to be sure and read and understand the product: are they providing daily, weekly, monthly credit reporting. The best services provide daily or at best real-time reporting.”
But Parker urged victims not to ignore the offerings.
“It’s a good thing, I would certainly recommend signing up for it,” he said. “But don’t sit here and think you’re 100 percent protected. You need to take care of yourself as well, take responsibility for your own financial health.”
Sample letters posted on OPM’s website explain to breach victims what information might be included in background investigation forms, as well as the information that could show up if someone’s spouse or partner filled out a background investigation form.
The standard letter states:
The letter for people who had their fingerprints stolen states:
A request for comment from ID Experts was not immediately returned, but a notification on its website states that the company estimates “notifications will continue to be made over a period of 12 weeks through the beginning of December. If you believe you should receive a letter and have not received it yet, please be patient.”
OPM has been working with the Department of Defense since the second major breach was made public in July. In early October the Defense Information Systems Agency awarded a $1.8 million contract to Advanced Onion Inc. to help find and notify the millions of victims through a website that users check by cross checking personal data by securely logging into a site run by the Defense Manpower Data Center (DMDC).
Cobert, who stated in her Oct. 1 email that her information was stolen, also asked for patience from victims.
“We’re committed to getting this right,” she said. “However, given the sensitive nature of the database that was breached — and the sheer volume of people affected — we are all going to have to be patient throughout this notification process.”