Despite an onslaught of customer complaints and a congressional inquiry into their contract, the companies that the Office of Personnel Management hired to protect victims of a hack on its personnel database said they want a second go.
Winvale and its subcontractor CSID want to bid on the larger contract to help the 21.5 million people affected by the breach of OPM’s security-clearance database, Winvale CEO Kevin Lancaster said. Lancaster and CSID founder Joe Ross said Friday on Federal Drive with Tom Temin.
“We’d absolutely go again for it. We have capacity,” he said. “We’ve got the right solutions, the right lessons learned from this one.”
OPM said it is working with the Defense Department to hire a company to provide three years’ worth of a suite of identity and fraud monitoring services to those affected by the security-clearance database hack. It has not released details on the solicitation.
Insight by Carahsoft: This exclusive e-book demonstrates just how far agencies have come and where they still need to go to take fully advantage of DevSecOps to drive modern capabilities to their customers.
Not everyone is convinced that Winvale and CSID’s performance merits an encore. Victims of the hack on the personnel systems reported spending more than an hour on the phone with CSID representatives before being helped. Labor unions questioned why the government could not provide the same services. The National Active and Retired Federal Employees Association complained that the emails CSID sent to recipients were confusing because they did not come from a dot-gov address.
To top it off, lawmakers questioned why OPM had opened the bidding process for just 36 hours before awarding the $21 million contract for identity-protection and credit-monitoring services to Winvale.
“The agency’s awarding of this contract suggests, however, that protecting employees exposed by the breach is not the top priority for OPM that it should be,” Sen. Mark Warner (D-Va.) wrote last month to then-OPM Director Katherine Archuleta.
Lancaster said he understood customers’ frustrations with the long wait times at CSID call centers and problems with the company’s secure Web page for breach victims. The companies’ original plan called for notifying a set number of breach victims each day, he said. But they deviated from that plan under pressure from various federal agencies.
“There are so many different hands in this breach response: OPM, DoD, DHS. Every agency was impacted by this breach,” he said. “We got into a position — probably about a week and a half in — where there was a void in sending emails. And then, in a 36-hour period, we had to send 1.2 million emails.”
“We certainly understand and empathize with the folks that were trying to call into call centers and trying to log into the registration pages because that was an insane number of notifications in such a condensed window,” he said.
At peak times, as many as 15,000 people were trying to enroll in CSID’s identity-protection program, said Ross.
“It’s not like you’re buying tickets online. You’re entering a lot of information. You’re pulling back three to four pages of reports, so it is a very strenuous process.”
CSID and its partners further bogged down the telephone system by making their 1-800 number public. They had first intended to share it only through notices to breach victims. But after two or three days, Ross said, they decided to publicize the number because of the large amount of people who feared they had been victims but had not yet received notices. Those calls represented more than half of the total volume in the first two weeks, he said. The company added 165 customer service representatives to meet the demand.
The service representatives would look up those callers in their database. If they had, in fact, been victims of the breach who had yet to be notified, then they received their pin codes over the phone, he said.
“When the decision was made to open the phone lines up, that’s when we had the longer hold times. It was the right thing to do,” he said.
Today they have more than 260 call center representatives, Lancaster said.
The companies also drew criticism for sending breach victims emails from CSID addresses, rather than official government accounts, about their services. The unexpected dot-com emails looked like phishing scams to some. NARFE felt compelled to reassure its members that those emails were legitimate. Ross said emails provided a cost-effective way to notify people and, given that OPM had current email addresses for most victims, seemed like the quickest and best response.
But the various players in the breach complicated the process once again, Ross said.
“In the private sector, you have one company with one company’s policies,” he said. “OPM was servicing 10, 20, 30 different agencies and each agency had their own policies around emails, securities and protocols. Managing the different agencies’ protocols was a bit challenging in managing the email notifications.”
Nearly 21 percent of breach victims — more than 900,000 people — have enrolled in CSID’s services, a relatively high percentage compared to other large-scale breaches, Lancaster said.
“There is a silver lining: a phenomenal uptake rate,” he said.
Individuals who have enrolled in the breach response program have access to a variety of identity-protection services, Lancaster said. In addition to monitoring their credit and financial records, the company peruses the “dark Web” for signs that identity thieves are attempting to sell victims’ personal information on the black market.
“There is no indication that any OPM information has ended up on the dark Web yet,” Lancaster said.
In general, CSID’s clients receive three times as many alerts regarding sensitive personal information being found on the dark Web than it does credit alerts, Lancaster said.
People who sign up for CSID’s services, whether through OPM or separately, receive alerts if something in their credit history, financial records or other reports seems fishy. If fraud has occurred, then the company requests limited power of attorney so it can clean up those records. That may entail calling courthouses and financial institutions to have those records expunged, Ross said.
The request asked for bids within 36 hours, leading some to question whether the contract had been wired for a certain company. But to Lancaster, there was nothing suspicious about OPM’s urgent solicitation on the FedBizOpps website on May 28.
“Thirty-six hours is unusual from a federal standpoint,” he said. “But if you look at the average lead time for an incident like this, at times you’re dealing with hours, or maybe two to three days’ turnaround, to respond to a solicitation.”
By the time a cyberattack victim is ready to hire a company like CSID, he said, it has already done a lot of work to investigate the attack and determine its scope.
His teams worked hard within those 36 hours to propose an effective solution, he said. CSID’s ability to monitor the dark Web and provide other services that go beyond credit monitoring gave it the advantage it needed to win OPM’s business, he said.
CSID has provided similar services for victims of other large data breaches, including a 2012 breach of South Carolina’s Department of Revenue. Those breaches pale in comparison to the hack of OPM’s personnel database, however.
Jory Heckman is a reporter at Federal News Network covering U.S. Postal Service, IRS, big data and technology issues.