OPM Says 84,000 Hack Victims Still Not Notified

Nearly 40 days after the Office of Personnel Management divulged that attackers copied millions of government employee personnel records, the agency says it's alerted 98 percent of affected employees. That, however, still leaves 84,000 individuals who have not been notified their privacy has been compromised, according to OPM statistics. 

The challenge of warning 4.2 million feds about the threat to their financial and personal security raises questions about the ability to inform more than 21 million victims of another related hack of OPM background investigation files.  

A majority of the past and current employees who fell victim to the first breach – 3.6 million – are part of the separate incident, which also affected family members, contractors holding security clearances and other individuals cleared to see classified material. OPM has not yet hired an identity protection firm to alert the larger batch of victims, which the agency enumerated for the first time Thursday.

Both data breaches have been tied to a Chinese espionage operation. 

Nextgov has heard recently from former federal employees who say they could be caught up in the OPM hack but haven’t yet been notified.

A Federal Reserve staffer, who retired in 2006, and could be among the 4.2 million cohort, said he thought he was unaffected because the Fed is not considered part of the civil service.

A Defense Department civilian, who joined the private sector in 1999, and an OPM employee, who left 18 months ago, expect they are affected, but have not yet formally been alerted to the fact that their Social Security numbers and other identifying information was accessed.

The OPM and Defense employees, separately, expressed bewilderment over what they described as another failure to protect their privacy. 

Are You Affected? There’s A Hotline to Call

OPM officials recommended these individuals, as well as any other unsure current and past personnel, call a toll-free number, 1-844-777-2743, to find out if they are affected. 

While the security clearance hack affects investigative forms going back to at least 2000, no such time parameters have been identified for the personnel records breach, OPM officials said.

"That's one of the reasons why there was a mechanism set up for individuals to self-verify," an agency official told Nextgov Monday night. 

"We believe we have contacted over 98 percent of the 4.2 million individuals affected in the first breach," the OPM official said. "If individuals could not be reached by email, attempts were made by mail. Attempts were also made by using the National Change of Address Database at the U.S. Postal Service."

ID protection firm CSID was paid $20 million to notify and provide 18 months of free anti-fraud services to the 4.2 million past and present federal personnel.

Emails Bounced Back and Snail Mail Was Undeliverable

"OPM provided CSID with the most up-to-date contact information for affected employees it had on record. In rare instances when that information was outdated, CSID took additional steps to track down any missing contact information," Patrick Hillmann, a representative for CSID, said in an email. "Less than 2 percent of those that were sent notifications had no forwarding address or [were] return[ed] to sender, but all attempts have been made." 

If emails bounced back during an initial round of outreach, CSID sent additional notifications in late June, OPM said last month.

Earlier in June, Sen. Mark Warner, D-Va., and some notified employees groused over long wait times on CSID's hotline and reported receiving incorrect credit histories. The company has since boosted call center staffing and OPM says almost 900,000, or about 18 percent, of individuals notified have registered for the ID protection program. 

No notifications have gone out about the background investigation breach announced last Thursday, OPM officials said.

If a person underwent an investigation through OPM, by filing special forms "SF 86," "SF 85," or "SF 85P" for a new investigation or periodic reinvestigation, "it is highly likely that the individual is impacted by this cyber breach," OPM spokeswoman Jennifer Dorsey said in an email. Earlier investigations could also be affected, although it is less likely, she said.

"In the coming weeks,” OPM, working with the Pentagon, will begin to send notification packages to these individuals, Dorsey said. Educational materials will be included to help victims prevent ID theft, secure their personal and work-related data, and "become more generally informed about cyber threats and other risks presented by malicious actors."

The packages also “will provide details on the incident" and instructions on how to obtain three years of free ID protection services, Dorsey said.

(Image via Mark Van Scyoc/ Shutterstock.com)