This is the latest chapter in ongoing drama for a federal workforce that narrowly averted being locked out of their workplaces when Congress agreed to a temporary budget measure Wednesday. That, following a 16-day partial government shutdown in 2013, along with the cybertheft, shakes the reputation of the federal government as a workplace of stability and security.
The cybertheft led to the resignation of the former Office of Personnel Management (OPM) director and strong complaints from Congress and employee organizations, including lawsuits filed by the two largest federal labor organizations.
The official notification comes more than three months after OPM announced the cyberattacks in June. Because of the number of people involved, administration officials expect the process of notifying everyone to take until the end of November. About 600,000 letters are being mailed daily by the Defense Logistics Agency, with the first batch issued Wednesday.
The notices include a personal identification number (PIN) that will be necessary to enroll in certain identity protection services. Affected individuals also are automatically enrolled in identity theft insurance.
Beth Cobert, acting director of the Office of Personnel Management (OPM), said the notification process takes time because of the large number of letters, the national security implications and the need to secure a contractor to provide the services. She also is aware of the strong criticism OPM took in the aftermath of a smaller breach, when employees seeking services suffered long telephone wait times and online glitches.
“All of these factors make it important that we take the time necessary to make sure the notification process is carried out carefully,” Cobert wrote in an e-mail to federal employees Thursday. “We’re committed to getting this right. What this means is that, while the notifications are beginning this week, it could take considerable time to deliver them all.”
Cobert acknowledged the toll the cybertheft has taken on the workforce.
“There is no doubt that we need to rebuild the employees’ trust in OPM, in OPM’s systems, in the federal government’s ability to protect sensitive data,” she said in an interview. “That is absolutely a critical priority for us.”
Among the stolen information are the fingerprints of about 5.6 million people. “If an individual’s fingerprints were taken, this will be noted in their letter,” Cobert’s e-mail said.
The mailings are being sent randomly and not in alphabetical or agency order. So two affected individuals in the same family probably will not receive notification at the same time.
“I understand that many of you are frustrated and concerned, and would like to receive this information soon,” Cobert’s e-mail said. “My personal data was also stolen in this breach, and I am eager to get my notification letter as soon as possible so that I can sign up for these services. However, given the sensitive nature of the database that was breached – and the sheer volume of people affected – we are all going to have to be patient throughout this notification process.”
While federal employees now will know how to get identity and credit services, the uncertainty and frustration over what could happen with their stolen Social Security numbers and other personal information can linger indefinitely.
That frustration was recognized in a National Treasury Employees Union lawsuit, filed in July, which asked a federal court to rule that “OPM’s failure to improve cybersecurity was an unconstitutional act.”
Just this week, Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform, wrote an article in The Hill newspaper that accused OPM officials of leaving the agency vulnerable to cyberattack “by ignoring repeated warnings of system vulnerability, failing to adopt basic cybersecurity best practices and wasting millions of dollars maintaining outdated technology.”
The American Federation of Government Employees made similar points in its lawsuit, filed in June.
Credit and identity services for victims of the data breach will be provided by ID Experts, also known as Identity Theft Guard Solutions, under a $133 million contract. The notification letters to employees warn them that “OPM and ID Experts will not contact you to confirm any personal information. If you are contacted by anyone asking for your personal information in relation to this incident, do not provide it.”