OPM, DOD to spend up to $330M on ID protection

The U.S. government is initiating protections for the 21.5 million people affected by the hack of the Office of Personnel Management, with the Navy awarding a $133.3 million contract—which could grow to $330 million if all options are exercised—to ID Experts for data breach recovery services.

Services provided under the contract—officially to Identity Theft Guard Solutions doing business as ID Experts, and awarded by the Naval Sea Systems Command—include credit and identity monitoring services, identity theft insurance, identity restoration services, and website and call-center services, according to a Defense Department announcement.

Hackers, reportedly traced to China, stole personal information on 21.5 million current, former and prospective government employees, contractors and family members, including 19.7 million who had undergone background checks—in which they disclose extensive amounts of information. The other 1.8 million were mostly family members and co-habitants, according to OPM.

Along with names, addresses, Social Security numbers, financial and criminal histories and other records, 1.1 million of the stolen records also included fingerprints.

Because of the extent of the breach, DOD and civilian agencies are working together to provide the protection services. The NAVSEA contract is the first task order under the General Services Administration’s five-year Blanket Purchase Agreements for Identity Monitoring, Data Breach Response and Protection Services.

“We remain fully committed to assisting the victims of these serious cybercrimes and to taking every step possible to prevent the theft of sensitive data in the future,” Beth Cobert, Acting Director of the Office of Personnel Management, said in a statement. “And as someone whose own information was stolen, I completely understand the concern and frustration people are feeling.”

Speculation that China was behind the hack has run strong, with administration officials confirming China’s involvement off the record but the Obama administration stopping short of publicly pointing the finger. The administration, however, reportedly is preparing a slate of potential sanctions against Chinese enterprises while preparing for a state visit by Chinese President Xi Jinping.

Administration officials have said that China and Russia are assembling large databases of information on U.S. citizens, collecting and cross-referencing information from breaches such as the OPM and Anthem hacks as well as the information released from the hack of the Ashley Madison website. At least part of their purpose is to identify U.S. intelligence agents.

The fact that that information taken from OPM’s databases has not turned up on the Dark Web or otherwise been used in extortion schemes or other activity suggests that a state actor was behind the hack, security officials have said.

During notifications of a related OPM hack that affected 4.2 million people (many of whom overlap with the 21.5 million affected by the larger hack), a phishing campaign was reported to be posing as notifications from OPM or identity protection firm CSID. In fact, victims of that breach complained that their actual notifications looked fake, since at some of them came from CSID’s .com Web address. OPM said the next round of notifications under the contract to ID Experts would all come from .gov or .mil addresses. Those notifications will start to go out around the end of the month, although all of the 21.5 million victims, along with their dependent children, are covered as of Sept. 1.