Senator Questions Whether Hacked OPM Rigged A Contract With ID Protection Vendor

A Virginia senator is calling on the Office of Personnel Management to possibly yank a deal with fraud protection company CSID, in light of questions about contract rigging and the firm's performance providing services to victims of one of the most severe hacks in U.S. history.

Since June 8, CSID, a firm subcontracted by D.C.-based prime vendor Winvale Group, has been sending notification emails and postal letters to 4.2 million former and current federal employees affected by a network compromise detected in April. The messages detail credit monitoring, ID theft insurance and other free protections CSID will provide for 18 months.

OPM publicly opened a competition for the job May 28, a week before disclosing the breach.

The day after the incident was revealed, OPM finalized a $21 million deal with Winvale.

Many Virginians "have reported receiving inaccurate or out-of-date information regarding their credit history, which calls into question CSID’s ability to appropriately protect them from fraud and ID theft," Sen. Mark Warner said in a June 19 letter to OPM director Katherine Archuleta. There are reportedly 14 million individuals potentially affected, because of a second, related breach that compromised sensitive data on individuals with access to national secrets.

On CSID's dedicated hotline for victims, wait times of more than an hour are not atypical, Warner said.

Warner also pointed out that CSID had been sending email notifications that contained a link to an ID protection registration site. Basic cyberhygiene recommends users never click on an email link and enter personal information. Earlier this week, OPM and CSID suspended notifications to redesign the emails, agency officials said. In messages that started going out Wednesday, recipients have the option of cutting and pasting a nonhyperlinked URL into their Web browser to get to the login site, officials said.

"If the company is unable to handle the volume resulting from a breach of this size, the contract should be terminated and awarded to a company that can," Warner warned.

Proposals for the work were due less than 36 hours after the solicitation was posted, according to public government databases. OPM altered the solicitation three times during that period. Less than a week after the initial announcement was published, OPM awarded Winvale the deal.

"According to procurement experts, such a short turnaround time is highly unusual and raises suggestions that OPM could have intentionally steered the contract to CSID," Warner said.

The General Services Administration, the government's central contracting agency, already is equipped to quickly set up credit monitoring services in the event of a breach, he said, pointing to a 2006 cyber incident at the Department of Veterans Affairs that affected millions of veterans, military members and their relatives. GSA awarded three companies contracts to help with ID protection, in that situation.

One of those firms, Bearak Reports, has said it was unaware of the OPM solicitation and would have vied for the work if it had known.

"This raises questions as to whether OPM followed all appropriate federal procurement protocols in awarding this contract," Warner said. "How does OPM justify awarding what appears to be a sole-source $20 million contract with four one-year renewal options in this case?"

CSID spokesman Patrick Hillmann said in an email that, for individuals encountering longer than average wait times, "the quickest way to enroll is still via the Web portal that is listed in the email and letter notice that potential enrollees have or will receive."

Customer support centers have been scaled up to handle the amount of inbound calls, but it takes time for agents to properly assist each customer, he said. To help alleviate wait times, CSID has added a call-back feature that records a customer's phone number and dials the individual back when a service representative is available, Hillmann said.

Responding to Warner's assertions about improper contracting, Hillmann said providing ID monitoring and restoration services to those affected "is what we have been focusing on throughout this process and what we must continue to focus on in the coming days and weeks. It would be inappropriate to allow ourselves to be distracted by nor comment on political matters."

OPM officials have been contacted by Nextgov for comment.