The Office of Personnel Management’s contract for credit monitoring services is coming under further scrutiny.
Sen. Mark Warner (D-Va.) joins in the questioning of how OPM made the decision to award a contract that could be worth $20.7 million over five years to Winvale for credit monitoring services.
The lawmaker sent a letter to OPM Director Katherine Archuleta today seeking answers about both the rationale for the contract award as well as the performance of Winvale and its subcontractor CSID.
“As you are well aware, I have a large number of constituents in Virginia who are current, former or retired federal employees, and in the past two weeks, I have heard complaints from many of them about the poor quality of service provided by CSID,” Warner wrote. “My constituents have reported that the website crashes frequently, and that the company’s dedicated hotline regarding the OPM breach has incredibly long wait times. Wait times of over an hour are not uncommon. Even as I write, CSID is reporting a wait time of approximately 90 minutes to speak with a representative.”
Additionally, Warner also questioned OPM’s judgement in contacting current and former feds via email coming from CSID and including a link back to its site.
Warner said the letter is “a violation of basic cybersecurity protocols that employees should never click on unfamiliar links because they risk exposing employees to scammers’ phishing attempts. Needless to say, I am deeply troubled by these reports. OPM must hold CSID accountable for timely and accurate responses to federal employees who are rightfully concerned about the impact of this breach. If the company is unable to handle the volume resulting from a breach of this size, the contract should be terminated and awarded to a company that can.”
He also questioned OPM’s contract award to Winvale in the first place.
As first reported by Federal News Radio, OPM issued the request for quotes for credit monitoring services on May 28 and closed the bidding process 36 hours later. Several procurement experts questioned whether OPM truly had competition for the RFQ or if the contract was “steered” or even “wired” to Winvale.
An OPM spokesperson said the agency received three responses to the RFQ. The spokesperson didn’t say which companies bid.
“As a result of OPM’s announcement regarding the cyber incident for background investigation information, the number of calls being made to the contractor, CSID, have increased exponentially,” the spokesperson said. “This is causing long wait times and other issues for the individuals who have been notified that their data was disclosed as a result of the cyber incident involving personnel records. The contractor is staffing additional call centers to reduce the call times and ensure high quality service to our Federal employees. We appreciate the patience our workforce has shown as we work through this unprecedented situation.”
“Winvale and CSID have been hired to provide identity monitoring and restoration services to those affected by this cybersecurity incident,” said Patrick Hillmann, a Winvale spokesman. “That is what we have been focusing on throughout this process and what we must continue to focus on in the coming days and weeks. It would be inappropriate to allow ourselves to be distracted by nor comment on political matters.”
Warner asked for OPM to answer four questions about the contract award to Winvale:
To the best of your knowledge, how did CSID learn of the RFQ?
Did OPM receive bids from any companies other than CSID?
Why did OPM choose not to pursue a bid through GSA, an agency established by Congress in order to cut down on wasteful overhead and administrative costs by centralizing the procurement process?
If the contract was awarded based on urgency, under federal procurement guidelines, OPM could have properly awarded a sole-source contract for a period of 12 months. How does OPM justify awarding what appears to be a sole- source $20 million contract with four one-year renewal options in this case?
Warner joined Sen. James Lankford (R-Okla.), chairman of the Homeland Security and Governmental Affairs Subcommittee on Regulatory Affairs and Federal Management, in seeking more answers about the breach. In a June 10 letter to Archuleta, Lankford also asked for answers from OPM about the contract award to Winvale.
And the American Federation of Government Employees (AFGE) added itsconcerns to the mix, sending a similar communication to Archuleta pointing out many of the same problems they are hearing about the customer service of CSID.
“The most frequent compliant I have received — one which is well within your power to address — is the horrendous experience people have had in trying to access assistance from the contractor you hired to perform credit monitoring services, CSID,” wrote J. David Cox, president of AFGE in the union’s second letter to Archuleta in the past week. “It appears OPM spent a grand total of 36 hours in considering which contractor to hire. The decision to hire Winvale/CSID so quickly might not be raising such questions if it were known as an expert in credit monitoring.”
AFGE also quoted the Federal News Radio story that highlighted the questions surrounding the award to Winvale.
Cox said he “cannot count the number of AFGE members who have reported abysmal experience with CSID. The website crashes constantly. The ‘information’ they produce is of the lowest quality; one member’s report told him he was on a sex offenders list and he is definitely not; another received information using her maiden name even though she has been married 18 years and never worked for the executive branch under her maiden name, others have received various pieces of information they know for certain is false.”
AFGE called Winvale/CSID “clearly incapable” and “unqualified” to provide credit monitoring to 14 million people.
“They are making a disastrous situation worse, and their contract should be terminated for the failures that have already come to light,” Cox wrote. “Their continued involvement is adding to the impact of the breach itself, and making those affected by the breach even less trustful that the government is capable of protecting their data or remediating the breach.”
Cox continued to push OPM to be more forthcoming with information about what happened and who is impacted.
Once again, AFGE brings up another potential worry for federal employees.
“[T]here is one question weighing heavily on everyone’s minds, and it’s a question you have an absolute moral responsibility to answer right away. That question is: was direct deposit payroll information breached?” Cox asked. “Federal employees deserve to know the answer to that question and they deserve it immediately. It may be too late for some if this is something that is reluctantly acknowledged in a Hill hearing next week or next month.”