The Office of Personnel Management this week began sending letters to victims of the cyber breach.
In an email sent Oct. 1 to employees, OPM Acting Director Beth Cobert said the department began sending notification letters on Sept. 30. These letters included information about the identity theft protection and credit monitoring services available at no cost to the individuals impacted by the breach.
“The notices will contain a personalized identification number (PIN) number which is necessary to enroll in the covered services,” Cobert said. “Please note that neither OPM, nor anyone acting on OPM’s behalf, will contact you to confirm any personal information. If you are contacted by anyone asking for your personal information in relation to compromised data or credit monitoring services, do not provide it.”
“As you know, a very large number of people were impacted by this breach, and the nature of the information involved has national security implications as well,” Cobert said. “OPM and the Department of Defense have continued to analyze the impacted data to verify its quality and completeness, and in this process, we determined that approximately 5.6 million of the impacted individuals had their fingerprints stolen. If an individual’s fingerprints were taken, this will be noted in their letter.”
Cobert said while the current belief is that illegal use of fingerprint data is limited, an interagency working group would continue to monitor the ways in which it can be misused in the future.
“This group will also seek to develop potential ways to prevent such misuse,” she said.
OPM, with the help of the Defense Department, has made strides to protect its system from another hack while also addressing the jeopardized personal identity information from the 21.5 million people affected by the data breach.
This week the Defense Information Systems Agency awarded a $1.8 million contract to Advanced Onion Inc. to help find and notify cyber breach victims. The company will build a website that helps users check if they’ve been affected by the hack by cross checking personal data by securely logging into a site run by the Defense Manpower Data Center (DMDC).
Cobert said in her email she understood victims would be frustrated by the agency’s pace for addressing the breach, but she urged patience and pointed to OPM’s online cybersecurity resource center as a place for information and updates.
“We’re committed to getting this right. What this means is that, while the notifications are beginning this week, it could take considerable time to deliver them all,” Cobert said. “My personal data was also stolen in this breach, and I am eager to get my notification letter as soon as possible so that I can sign up for these services,” she said. “However, given the sensitive nature of the database that was breached — and the sheer volume of people affected — we are all going to have to be patient throughout this notification process.”