OPM Took Five Months to Notify Victims of Massive Cyber Attack

Feds send letters to 93 percent who had data stolen

December 11, 2015

The federal government took five months to notify Americans who had their personal information compromised in a massive cyber attack on government servers disclosed earlier this year.

The Office of Personnel Management (OPM) announced Friday that it, in partnership with the Department of Defense, has mailed notification letters to approximately 93 percent of the more than 21 million Americans, most of them federal workers, who had their Social Security numbers and other personal information stolen by hackers.

The letters alert victims that they can receive credit monitoring and identity theft protection from a company that was awarded a federal contract to provide the services in September. Impacted individuals and their minor children can receive credit and theft protection at no cost for up to three years.

"OPM and our partners across government remain committed to protecting the safety and security of the information provided to us. Together with our interagency partners, OPM is dedicated to delivering high-quality identity protection services to impacted individuals," OPM spokesman Sam Schumach said in a statement Friday.

"The interagency team continues to review the impacted data to monitor for any misuse, and the U.S. government will also continue to evaluate the coverage being provided and whether any adjustments are appropriate in association with this incident."

The announcement comes more than five months after OPM initially acknowledged that over 21 million Americans had personal information compromised in the breach, which led the agency’s former director Katherine Archuleta to resign.

At the beginning of September, OPM awarded a $133 million contract to Identity Theft Guard Solutions to provide identity protection services to victims of the breach, which is believed to have been carried out by Chinese hackers. At the time, the government said it would take up to four months since the initial announcement of the hack—or until November—to notify all victims.

The acknowledgement of the breach in July came a month after OPM said publicly that the personal information of 4.2 million people was stolen in a separate breach. OPM awarded a nearly $21 million contract to a company called CSID to offer identity theft protection to the victims in the earlier attack.

That contract came under scrutiny in a report from the agency’s inspector general released this week, which found that OPM violated federal contracting regulations in several ways when making the deals with CSID.