The US government is set to spend $133m on identity theft protection services for over 21 million victims of the Office of Personnel Management (OPM) breach, despite having failed thus far to inform those affected.
In a statement on Tuesday, the OPM jointly announced with the Department of Defense the award of a $133,263,550 contract to Identity Theft Guard Solutions (ID Experts) for “credit monitoring, identity monitoring, identity theft insurance, and identity restoration services.”
Those affected will get the service free of charge for a period of three years following one of the largest and most damaging data breaches in the US government’s history.
“Millions of individuals, through no fault of their own, had their personal information stolen and we’re committed to standing by them, supporting them, and protecting them against further victimization,” said acting OPM director, Beth Cobert, in a statement.
“And as someone whose own information was stolen, I completely understand the concern and frustration people are feeling.”
Yet the OPM has so far failed to inform those 21.5 million former and current government employees and their families affected by the breach, nearly three months after it first discovered the intrusion.
The statement noted:
“The US Government, through the Department of Defense, will notify those impacted beginning later this month and continue over the next several weeks. Notifications will be sent directly to impacted individuals.”
The OPM breach has the potential for far-reaching consequences given that some of the data stolen related to security clearance background checks for military and intelligence officials.
Already reports are emerging that foreign powers including Russia and China are cross-checking the data with other breached information from Ashley Madison, healthcare provider Anthem and other hacked companies to uncover, track and even possibly bribe or recruit US spies.
Charles Sweeney, CEO of web security firm Bloxx, argued that the $133m outlay “puts a figure on just how costly a reactive approach [to cybersecurity] can be.”
“Alarmingly, the text of the release seems to imply that not all impacted people have been informed about highly sensitive, personal information that has been stolen,” he told Infosecurity.
“Three months on this seems inconceivable. If this was the private sector I have no doubt that the US government would be shouting from the roof tops about duty of care and the importance of a rapid response when an individual’s ID has been compromised.”