The Office of Personnel Management says deceased people whose identities were stolen during a monumental OPM background check hack should also be provided ID theft protection.
So, the agency is mailing notification letters addressed to the departed. In some cases, the dead individuals are receiving letters before their hacked, and living, loved ones.
About 300,000 of the 21.5 million victims are deceased, OPM spokesman Sam Schumach told Nextgov on Monday. That figure was derived from a “federal agency version” of the public death master file, a catalog of U.S. deaths since 1936, he said.
Late Friday, the hacked agency updated its OPM Cybersecurity Resource FAQ site to explain why residents are receiving notices for the deceased.
"Please accept our deepest sympathies on the loss of your loved one and please accept our apologies for any distress our letter has caused you," the FAQ states. "Your loved one received a notification letter because we have determined that your loved one’s Social Security number and other personal information were included in the intrusion."
OPM says it is not aware of any bad guys using the stolen data, but "to reduce the likelihood of any misuse, we are offering identify theft protection and credit monitoring services to deceased individuals."
Annually, ID thieves steal personal information on almost 2.5 million deceased Americans, according to the IRS. In 2014, fraudsters were caught pocketing Social Security benefits for the deceased worth more than $55 million, according to the agency's inspector general.
The deceased’s children also are eligible for the ID protection services, which include three years of credit monitoring and ID theft insurance.
OPM is recommending individuals who receive letters intended for departed individuals freeze the deceased's credit by placing a "Deceased. Do not issue credit" alert on credit reports.
To register the deceased person for ID protection services, family members can visit this site and enter a 25-digit PIN written on the notification letter. The user must know the deceased's personal information, like the last four digits of the individual's SSN.
Children of the departed who were under the age of 18 as of July 1 can enroll to protect themselves using the same PIN number.
OPM last week officially debuted a military-secured self-check website that allows anyone to verify if they were victimized by whoever stole records on U.S. personnel applying for clearances to handle classified information and their family members. It is believed Chinese-sponsored cyberspies vacuumed up the data.
The self-verify site was created to let people who believe they are affected but never received a letter obtain protection. Users must enter their personal information and will receive a confirmation or denial in the mail.
OPM disclosed the network intrusion in June and has been mailing notifications to the 21.5 million victims, including the deceased, since October. That entire population is eligible for the free ID protection services, which the government expects will cost taxpayers $330 million over three years.
Nextgov first reported on the soft launch of the “OPM Verify” site in November.
On Dec. 1, OPM Acting Director Beth Cobert said it is expected all letters will be in the mail within the next two weeks.