OPM Ending Data Breach Protections for Victims

by Anika Shah - Technology
0 comments

Current and former federal employees affected by the massive 2015 Office of Personnel management data breach may be losing their identity protection services in the coming year.IDX, the company providing these services as 2015, sent out emails earlier this month telling recipients of their identity protection services that they would have to renew on their own dime after receiving services for 10 years paid for by the government.IDX, which has held the identity protection and credit monitoring contract as 2015, sent at least three emails out over the last few weeks offering customers a discount to renew their subscriptions.

IDX CEO Ian Kelly said that subscribers who have been receiving services for 10 years will need to renew their services and pay for it because OPM will no longer pay for the protection services.

“The MyIDCare membership was a result of the OPM cybersecurity incidents from 2015. Protection was provided in accordance with the Consolidated Appropriations Act for a period of 10 years. OPM has honored the 10-year obligation, and individuals that enrolled will have their coverage expire on the 10-year anniversary of their enrollment date,” Kelly said in an email to Federal News Network.

Additionally, kelly said individuals that enrolled on later dates then 2015 and even through fiscal 2026 will have their memberships expire on the 10-year anniversary of their enrollment.In September, OPM transferred their contract with IDX to the General Services Administration as part of the consolidation and centralization initiative. OPM is one of the three pilot agencies.

The current IDX contract continues through Sept. 30, 2026. OPM awarded a follow on contract to IDX in 2019 under the GSA’s Identity Protection Services (IPS) multiple-Award Blanket Purchase Agreement (BPA).

After the legislative requirement to offer these services through the end of fiscal 2026, an OPM official told Federal News Network that the contract will expire, so current and former federal employees affected by OPM’s data breach will need to consider their options for identity protection and credit monitoring services this time next year.

Protection contract worthwhile?

As far as the contract itself, the OPM official told Federal News Network it has been a “waste of money.”

“The contract cost taxpayers $1 billion, with the most recent annual cost at $58 million. However, the insurance component only paid out $162,000 in claims since 2015. No claims have even been filed since 2022,” the official said.

OPM Data Breach: A Decade Later, Risk Remains for Federal Employees

The 2015 Office of Personnel Management (OPM) data breach, which exposed the personal information of millions of federal employees and those connected to them, continues to pose a significant risk, according to experts. Unlike typical data breaches focused on financial gain, the stolen OPM data is valuable for espionage and long-term intelligence gathering.

“This was not only information about the employees of the federal government who had security clearances, it was also their family members, and it was other individuals who had some relationship with them,” said Dale Lee, a cybersecurity expert, in an interview with Federal News Network. “The information contained in those in the database that was accessed was very specific and very detailed information.You don’t see that generally in data breaches. We have never seen this information in an identity marketplace. So a typical data breach, that information gets put to use immediately in some place, where it’s either sold or shared for the purposes of generating revenue at some point and multiple times. This information was not used that way.”

Lee explained that China or other nation states could combine the OPM data with information from other breaches to create extensive profiles of federal executives and their families, including details about their appearance, travel patterns, and spending habits.

This information could be exploited for espionage, blackmail, or other malicious purposes. The static nature of much of the stolen data – information that doesn’t change frequently – further increases its long-term value.

“What we were talking about with OPM is that still represents an ongoing risk to those individuals, and it also represents an ongoing risk to everybody else,” Lee stated. “Today, data breaches are the fuel for most identity crimes, and one of the most prevalent crimes today is a crime of impersonation. So it’s not just the risk to the individual whose information has been breached. It’s to other people who might be led to believe that they are in contact with the real James Lee, when in fact, it’s just somebody who’s gathered enough information about me to pretend to be me.” he emphasized the heightened risk when dealing with government officials and those with security clearances, as impersonation could have serious consequences.

OPM upped its cyber protections

Lee advises current and former federal employees to consider the enduring value of their data when evaluating identity protection services. He also noted that protecting oneself has become easier and more affordable,with increased accessibility to credit freezes and credit score monitoring. In fact, he considers freezing one’s credit the single most important step individuals can take to safeguard their information.

As the breach, OPM has invested millions in cybersecurity improvements, including migrating data and systems to the cloud. The agency asserts it has robust privacy oversight, risk management, and cybersecurity programs, and is “totally committed to and capable of protecting PII.”

Among the steps OPM has taken is it compl

Related Posts

Leave a Comment