Advertisement

After 2015 breach, OPM overpaid for identity theft protections, report finds

The Office of Personnel Management appears to be overpaying for an identity theft insurance program intended to protect more than 20 million current and former U.S. government employees whose personal information was exposed in a 2015 data breach, a government watchdog said.

The Office of Personnel Management appears to be overpaying for an identity theft insurance program it rolled out to protect more than 20 million current and former U.S. government employees whose personal information was exposed in the agency’s massive 2015 data breach, a government watchdog said.

The newly released report by the Government Accountability Office notes that OPM is providing coverage at a level that is “likely unnecessary” because “claims paid rarely exceed a few thousand dollars.”

Exacerbating costs further is the fact that the government do not know how many affected individuals might have signed up for two different government identity theft monitoring programs that essentially offer the same thing.

After the breach was acknowledged, OPM contracted two firms, Winvale Group and ID Experts, to protect government employees that had their personal information exposed in the personnel records breach and separate breach of background investigation data.

Advertisement

“OPM has estimated that about 3.6 million people were affected by both breaches and therefore were offered identity theft services under both contracts,” the report reads. “The duplicative services offered to the two groups of affected individuals overlapped by more than a year.”

The government has paid $28.9 million to Winvale and another $209.1 million to ID Experts for their services.

“For the Winvale contract, about 25 percent, or very roughly 1 million people, of those offered services had signed up as of December 2016,” GAO Assistant Director Jason Bromberg told CyberScoop. “For the ID Experts contract, about 12 percent, or roughly 2.5 million people, of those offered services had signed up as of July 31, 2016.”

Congress originally mandated that OPM provide all victims with 10 years worth of credit and identity theft monitoring and restoration services, including a $5 million insurance plan. According to GAO, this blanket approach may not have been the most efficient because it essentially overestimated the damages caused by the breach. Cheaper, more customizable service plans could have done the job, the report states, and potentially cost less.

The OPM breach is widely attributed to Chinese intelligence services — a group that sought information from the operation rather than financial wealth. No indictments have been made in the case.

Advertisement

Experts say that there are no known, verified instances of stolen OPM data being bought, sold or traded online by cybercriminals.

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts