The Office of Personnel Management’s contract to provide credit monitoring services for victims of its first major cyber breach began on troubled ground and likely will end amid more confusion and disagreement.
With less than a month until the Dec. 1 deadline, OPM and its contractor Winvale/CSID can’t agree on just how many people need to re-enroll with a new vendor to keep credit monitoring and identity protection services, and a plan to smoothly transition those victims from one service provider to another hasn’t been finalized.
Initially on Oct. 31, OPM first reported that about 600,000 people — the total population of victims who were only impacted by the first of the cyber breaches — would need to re-enroll for identity protection services by Dec. 1, when the agency’s contract with Winvale is set to expire.
But a few days later, OPM updated that number to indicate that only 100,000 to 150,000 people will need to re-enroll. An OPM spokesperson said Nov. 4 that number was based on new information from Winvale, specifically the percentage of the 600,000 victims who had enrolled with the vendor.
Insight by CyberArk: Learn how the CDC is using the least-privilege model to limit how much damage hackers can do in federal networks in this free webinar.
But Winvale/CSID, the vendor whose contract for credit monitoring and identity protection services is set to expire Dec. 1, insists OPM is “focused on the wrong number.” As of Oct. 18, the company enrolled roughly 25 percent — or 1.1 million — of the 4.2 million victims impacted by the first OPM cyber breach in June 2015.
“We have enrolled 1,084,581 [people],” Winvale CEO Kevin Lancaster said. “Contrary to OPM’s assumption, this is how many will need to re-enroll into a new product after they are terminated on Dec. 1.”
OPM’s most recent total of 100,000 to 150,000 is based on a conversation it had with Winvale, when it asked the vendor for the number of victims only impacted by the first cyber breach who had enrolled with the company, an agency spokesperson told Federal News Radio.
The vendor told the agency that the affected population was “virtually in line” with the percentage of Winvale’s overall enrolled population of 1.1 million, the OPM spokesperson said.
But Winvale said the exact number in question was unclear, and a specific number required further study.
“I’d assume that the enrollment percentage would be in line with the 4.2 million,” Lancaster said. “But that is not the number of people that need to enroll. That’s the number of people we’d assume.”
OPM also doesn’t have a firm idea of the number of people who were impacted by both cyber breaches and have signed up for credit monitoring services with both Winvale and ID Experts.
The OPM spokesperson said it often receives data from its vendors on the fly, and the number of people who were impacted by both cyber breaches and signed up for services with both Winvale and ID Experts is unknown.
During its Oct. 31 announcement, OPM said victims impacted by both cyber breaches have already had the opportunity to sign up for coverage under ID Experts when OPM sent out notification letters to victims of the second breach last fall.
The agency said it expects a certain number of people have in fact enrolled for both services — even if it doesn’t know what that number is.
ID Experts declined to comment about the number of breach victims who signed up for both services.
“I’m not sure anybody has a real good grasp on this,” a Senate aide told Federal News Radio. “I would characterize the situation as a little confusing and certainly less than optimal.”
The aide added that the contract with Winvale has been difficult from the start.
“I’m not criticizing OPM,” the aide said. “This was an unprecedented situation that everybody was dealing with.”
The National Treasury Employees Union said it’s also concerned by the process its members have gone through to enroll in credit monitoring services, particularly considering the sheer amount of personal data that hackers reportedly accessed.
“The entire notification and enrollment process for both incidents has been confusing and even for federal employees and family members,” NTEU National President Tony Reardon said in a statement to Federal News Radio.
Winvale also is concerned by the fast turnaround time that OPM plans to move victims enrolled with Winvale to the new vendor, ID Experts. OPM’s contract with Winvale ends Dec. 1, giving less than a month for the transition to happen.
“This takes time to transition,” Lancaster said. “You have to figure out some kind of soft landing. Otherwise you’re turning 1.1 million people off overnight.”
Leadership on the House Oversight and Government Reform Committee wrote to acting OPM Director Beth Cobert Nov. 3 asking about the agency’s plans to transition Winvale enrollees to the new provider.
“The transition to a new service provider may create confusion for the individuals covered by the Winvale/CSID contract,” the committee wrote. “As the service period under this contract draws to a close, and to ensure that affected individuals receive sufficient information and services during the transition to a new provider, please provide the following documents and information as soon as possible.”
The committee specifically wants know how OPM plans to communicate with impacted victims about the upcoming changes to their identity protection services and how they can re-enroll with a new provider. In addition, lawmakers are looking for more details on OPM’s contract with Winvale to “support call volume and other forms of response in the remaining month of the contract, the volume of staffing hours this funding will support and if such volume is sufficient to meet demand,” the letter said.
OPM has until Nov. 21 to update the committee.
An aide on the committee’s minority staff said it reached out to OPM earlier in October to find out about the agency’s plans for the Dec. 1 deadline.
“[It was] probably about two weeks ago that some of the contractors had reached out to us to indicate as far as with the first data breach incident, the contract was expiring, and [they] wanted to get clarity as to what was going to happen next,” the staff member said.
But to date, OPM has not finalized a contract with Winvale for services to support that transition after Dec. 1, Winvale said.
“We are trying to work with OPM to extend our protection to this impacted population after Dec. 2,” Lancaster said. “We are attempting to address ‘termination’ notifications, call routing, call center staffing and the continued support of more than 1,000 open identity restoration cases.”
A senior OPM official said it’s having discussions now with Winvale to work out the details of the transition services.
Transitioning victims from Winvale services to ID Experts also is something lawmakers are watching closely.
“We do remain concerned with both OPM and the contractors that they can do this so that it’s as smooth and seamless a transition as possible,” the House aide said. “That’s still a concern of ours. On both respects, with OPM and the contractors, these dates were not a surprise.”
OPM had contracts with two vendors for credit monitoring and identity protection services: ID Experts, which OPM offered to the victims of the second breach of background investigation information, and Winvale/CSID, which the agency hastily awarded after news of the first cyber breach of personnel records broke.
Breach victims who have credit monitoring services with ID Experts will see no changes in coverage and do not have to take any action.
OPM said it’s still encouraging breach victims who haven’t enrolled in identity protection services to sign up for coverage.
“Individuals, if they haven’t already enrolled, can use the notification letter that the government had mailed last fall to go ahead and sign up for those services with ID Experts,” the OPM official said.
Victims also can visit the OPM online cyber resources center to ask for another copy of their notification letter if they’ve lost the original.
When OPM first awarded the contract with Winvale in June 2015, victims were originally offered 18 months of free credit monitoring and identity protection services. Now that coverage is about to end, OPM has chosen to move ahead with a different provider.
OPM picked ID Experts as its new vendor, in part because the company is a part of the General Services Administration’s blanket purchase agreement, a senior agency official told reporters during an Oct. 31 press call.
The OPM official said the agency is working with GSA now to determine what the best procurement strategy for the next 10 years might be. OPM’s contract for all breach victims will end Dec. 31, 2018.
OPM will eventually offer credit monitoring services to breach victims for 10 years, as now required by law.
“I’m not surprised it’s played out this way,” the Senate aide said. “It’s a little unfortunate because it is causing confusion, but the advantage when we get over this obstacle is that the coverage will be harmonized for everybody and then it will be easier to figure out what to do for the coverage post-2018.”