After a bruising initiation into Washington politics with his company’s sluggish response to the massive Chinese hack of federal employee data, Joe Ross seems unfazed.
The president and co-founder of CSIdentity Corporation says the company has done the best it could under difficult circumstances to offer identity protection services to 4.2 million active and former employees. Sure, hold times to get questions answered at CSID’s call centers reached two hours or more — but Ross blamed the crush on the government’s decision to make the company’s 1-800 number public instead of limiting it to those whose data may have been compromised.
“Every federal employee and contractor was out there calling with questions,” Ross said in an interview Friday before flying back to the company’s Austin, Tex. headquarters.
“We serviced people who weren’t affected by the breach,” Ross said. “We took a beating early on for doing what in our mind what the right thing to do.”
The company reached out to the Post in an effort to rebut its critics, who stretch from Capitol Hill lawmakers to federal employees and the unions that represent them. Now the Office of Personnel Management is working with the Defense Department to hire a contractor to offer protections to 22 million people whose applications for security clearances were compromised in a second cyber attack, also believed to have been carried out by the Chinese government. OPM officials have said they hope to apply the lessons from the first breach response to this one.
CSID and its partner, Washington-based Winvale Group, want to bid on the new contract, which will require the winning bidder to offer three years of identity protection and fraud monitoring, double what CSID is providing now. DOD has not announced a solicitation.
“In our view, this has been a very successful breach response program,” Ross said as he tried to regain the narrative from critics and “tell the real story.”
“The worst thing was the misconceptions going on about us not being able to handle the [response to] the breach.”
CSID sells identity protection and fraud detection technologies to businesses but not directly to customers. When OPM disclosed the hack of employee data in early June, Winvale won a $21 million contract to offer credit monitoring and other services to affected employees for 18 months.
Ross said his trial by fire in Washington rolling out the company’s highest-profile breach response to date taught him that compared with a cyber attack in the private sector, “This was a much larger education process.”
“Breaches are very emotional experiences,” he said. “In D.C. you’re educating on multiple fronts” — Congress, the multiple agencies involved, unions, anxious employees.
“We’ve learned a lot of lessons. A lot of the criticism came from people not understanding what the breach process is like.”
But days after its three call centers opened, customer service complaints began piling up about CSID. Employees flooded their members of Congress with complaints about telephone wait times of up to three hours, and crashing Web sites when they tried to sign up online for identity protection services.
Employees complained that the e-mail notifications telling them their personnel data was may have compromised should have come up from a .gov address. The Defense Department halted the e-mails altogether for a few days, having trained its employees not to open missives with links to unknown senders. Sen. Mark Warner (D-Va.) and other lawmakers questioned why OPM had opened the bidding on the contract for just 36 hours.
“We did a competitive bidding process and won,” Ross said, defending the company against critics who suggested the contract was not competitive. He said he does not know how many other bidders there were.
Media reports early on estimated that up to 18 million people were affected by the breach. But CSID only had staffed its call centers with 120 employees to answer questions. The average call, which is supposed to take six minutes, stretched to 10 and 12 minutes given federal employees’ high level of concern about their personal information.
About half the questions the call center took were from people who either weren’t affected by the breach or had not yet been notified. “They weren’t short calls,” Ross said. “They were emotional calls.”
Ross said 925,000 people have signed up for CSID’s services, about 21 percent of the employees whose data may have been compromised and a relatively high response rate for a data breach. The company has been unable to reach about 20,000 employees for whom the government has no e-mail address or an inaccurate snail-mail one.
Among those signed up for credit monitoring are several members of Congress, whose staffs dialed into the call centers with basic questions on behalf of the lawmakers, Ross said.
People who sign up for CSID’s services receive alerts if something in their credit history, financial records or other reports changes. If there’s fraud, the company requests limited power of attorney so it can clean up those records. That may involve calling courthouses or banks to have those records expunged, Ross said.
In addition to monitoring their credit and financial records, the company canvasses the “dark web” for signs that identity thieves are attempting to sell victims’ personal information on the black market.
CSID has issued about 90,000 alerts based on monitoring so far, but they do not mean that someone’s identity or money was stolen. “Our monitoring does not predict fraud.” Ross said. “I can’t discern whether it was you transacting or a fraudster. Your job is to take the information and make sure it’s accurate.”