It's Costing OPM $20 Million to Contact Hacked Feds


OPM issued a solicitation to identity theft protection companies a week before disclosing a hack that exposed private information on millions of current and former federal employees.

The Office of Personnel Management on May 28 issued a solicitation to identity theft protection companies, a week before disclosing a hack that exposed private information on millions of current and former federal employees.

The day after the breach was made public, OPM finalized a more than $20 million deal with Winvale Group to start notifying individuals "within 48 hours of award."

This would explain the lag between the time the intrusion was revealed June 4 and the notification on June 8.

OPM now says it's in the process of contacting approximately 4 million current and former federal employees whose personal information may have been exposed.

Curiously, though, the initial job order only specifies sending out 3.2 million notifications, including 1 million emails and 1.1 million letters.

Nextgov has contacted OPM for comment. 

Agency officials have said employees for whom the agency has no email address will receive information by snail mail.

Winvale is a reseller of a brand of fraud prevention services OPM is providing called CSID. As of Tuesday afternoon, Winvale's homepage directed visitors to the official CSID OPM informational website

Government officials have said they first learned about a network compromise in April, after testing agency systems for indicators of a never-before-seen threat. It's not clear how long the intruders had been in the network.

EINSTEIN, a network surveillance tool defending an Interior Department data center housing the system, cannot detect previously unknown malware.

This intrusion marks the fourth hack at an organization holding sensitive records on personnel that could be used for extorting secrets. It is believed a nation state is behind the most recent intrusion, the second to strike OPM over the past year. 

The official CSID OPM victim's assistance webpage says the notification emails and letters “will state exactly what information may have been compromised." 

The services ordered include:

  • 2.1 million email notifications
  • 1.1 million notification letters
  • Address research
  • Call center support to assist 3.2 million affected individuals
  • 1 website
  • 3.2 million credit monitoring services
  • 3.2 million ID recovery services if identities are stolen 
  • Project management

The call center will be open Monday through Saturday, according to OPM contracting documents. Customer service representatives must "answer questions about the incident, explain the services being offered and reassure the individuals that the contractor will resolve any harm to the individuals,” the documents state.

(Image via zimmytws/