Pentagon Hires Investigators to Find Hacked Feds


A tool for determining why mail notifications are returned must be running by Oct. 9 and a website for individuals to check if they're affected by the breach must be running by Nov. 17.

Individuals who suspect their background investigations records were compromised in the sweeping Office of Personnel Management hack but do not receive notifications next month should be able to troubleshoot online, rather than deal with call centers, contracting documents reveal. 

The Defense Information Systems Agency on Sept. 24 quietly awarded a rush $1.8 million deal to the technology firm Advanced Onion for mail address-locating services. The Pentagon is in charge of alerting the 21.5 million individuals whose personal information was snared by what is believed to be an act of Chinese government espionage targeting the federal government.

The military is out of compliance with breach notification deadlines and needs the support by Sept. 28, Defense officials acknowledged in a justification for tapping the firm without holding an open competition.

Advanced Onion is the only vendor that meets facility security requirements and is familiar enough with the Defense Manpower Data Center to step in immediately, officials said. A tool for determining why mail has been returned must be running by Oct. 9 and a website for individuals to check if they're affected by the breach must be running by Nov. 17. 

The 4.2 million victims of a smaller, related breach who were notified in June complained of waiting on the phone 90 minutes for customer support, legitimate alerts that looked like spam mail and notifications that failed to arrive.

Under the new contract, "individuals who believe they may have been affected by the breach, but have not received notification" will be able to fill out a form to learn whether they are affected, the contract notice states. Individuals can go online and “securely provide" identifying personal information to "investigate their eligibility without calling a government call center."

Also, when undeliverable notifications come back to the government, the contractors will, by hand, scan the codes on each envelope to log the reason why, according to contracting documents.

The government in early July announced the extent of the larger hack that compromised background investigation files.

A Defense Privacy Program directive requires that, in situations such as this one, victims should be alerted “as soon as possible, but not later than 10 working days after" the breach is detected and the "identities of the individuals ascertained." 

As of Sept. 28, members of the affected population had not received a letter or email.

"DOD and OPM will continue to be in noncompliance" with the privacy directive, if Advanced Onion is not retained now, officials said in the contracting documents.   

On Sept. 1, officials said the government would begin individually alerting victims "later this month.” 

Discoveries about the scope of the attack continue to unfold. 

Estimates of the number of federal personnel whose fingerprint data were stolen in the hack jumped from about 1.1 million people to 5.6 million, OPM officials announced Wednesday. 

Earlier this month, U.S. officials tapped counterfraud firm, I.D. Experts, to offer the 21.5 million notified individuals three years of credit monitoring, ID theft monitoring, ID theft insurance and ID restoration services. 

The hacked forms are filed by contractors and government employees applying for a security clearance to handle classified secrets. Among other things, they catalog foreign contacts, biographical information and delicate personal issues, such as drug use. 

(Image via Tammy54/