OPM says fewer cyber breach victims need to re-enroll in credit monitoring services

Editor’s note: OPM told Federal News Radio Nov. 4 that it received new information about the number of cyber breach victims who will need re-enroll in credit monitoring services. The story now reflects that new information. 

Victims of the Office of Personnel Management’s cyber breach who enrolled in credit monitoring services with Winvale/CSID about 18 months ago will soon have to re-enroll for the same services with a new vendor.

About 100,000 to 150,000 people will need to take some kind of action and will receive mail notification letters from OPM soon, as their coverage under Winvale expires Dec. 1. OPM will notify all 600,000 people who were only impacted by the first of the agency’s cyber breaches that they can sign up for services.

OPM had originally said that 600,000 people will need to re-enroll, but Winvale lowered its estimate to account for 100,000 to 150,000 victims who actually signed up for credit monitoring services, an OPM spokesperson said Nov. 4.

Advertisement

Letters will include directions for enrolling in credit monitoring services with ID Experts, the same vendor that scored OPM’s second contract for credit monitoring and identity protection services for victims of the background investigation records breach.

“We are providing the same type of coverage, but it will be available with a different vendor,” a senior OPM official told reporters during an Oct. 31 press call.

The change affects a small subset of OPM cyber breach victims — specifically the 100,000 to 150,000 victims who were only impacted by the first breach of personnel records and only signed up for coverage with Winvale.

Roughly 1.1 million people in total have signed up with Winvale/CSID credit monitoring services, OPM said. Most victims impacted by both cyber breaches have already had the opportunity to sign up for coverage under ID Experts when OPM sent out notification letters to victims of the second breach last fall.

“The folks who were eligible to receive services under both vendors have always been eligible to get their credit monitoring and identity protection services through ID Experts,” the senior OPM official said.

Coverage for new enrollees to ID Experts’ services will begin Dec. 2, 2016 and end Dec. 31, 2018.

“We did the timing such that it would match the end date for the ID Experts contract, therefore both contracts will be set to end on Dec. 31, 2018,” the OPM official said. “This will be the first step in OPM’s efforts to extend coverage to all impacted individuals for 10 years, and being able to have those contracts end at the same time will allow us to pursue a better procurement strategy that will allow us to get these services beyond Dec. 31, 2018.”

Victims can go to OPM’s cybersecurity resource center to re-enroll for the same credit monitoring services they had — but with a different provider. The agency’s notification letters will convey similar information and directions on how to enroll.

They should also receive a letter in the mail from Winvale, the OPM official said, which will also inform them that their coverage is expiring.

Breach victims who have credit monitoring services with ID Experts will see no changes in coverage and do not have to take any action.

OPM said it’s still encouraging breach victims who haven’t enrolled in identity protection services to sign up for coverage.

“Individuals, if they haven’t already enrolled, can use the notification letter that the government had mailed last fall to go ahead and sign up for those services with ID Experts,” the OPM official said.

Victims can also visit the OPM online cyber resources center to ask for another copy of their notification letter if they’ve lost the original.

It’s the first step in the process as OPM will eventually offer credit monitoring services to breach victims for 10 years, as now required by law.

OPM had contracts with two vendors for credit monitoring and identity protection services: ID Experts, which OPM offered to the victims of the second breach of background investigation information, and Winvale/CSID, which the agency hastily awarded after news of the first cyber breach of personnel records broke.

When OPM first awarded the contract with Winvale in June 2015, victims were originally offered 18 months of free credit monitoring and identity protection services. Now that coverage is about to end, OPM has chosen to move ahead with a different provider.

OPM picked ID Experts as its new vendor, in part because the company is a part of the General Services Administration’s blanket purchase agreement, the senior agency official said.

The new contract is worth about $9.1 million, an OPM spokesperson said.

Winvale is not on GSA’s BPA, a point that several lawmakers made when OPM first awarded the $20 million contract just 36 hours after the solicitation was made public.

The OPM official said the agency is working with GSA now to determine what the best procurement strategy for the next 10 years might be.

“We’re currently looking at using their [Special Item Number] as one way as being able to provide services for this longer period of time,” the official said.

Copyright © 2020 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.