The last of the notices are set to go out this week to the more than 21 million people whose personal information was stolen in a cyber breach of government security clearance files, with about 1.5 million of those having signed up so far for identity and credit monitoring services.
That is well below the response to an earlier offer of similar services following a separate breach of government personnel files. But it is still above the 5 percent response rate that the service providers cited to the Office of Personnel Management as the average to similar offers when customer information is stolen from private companies, according to the OPM.
[interstitial_link url="https://www.washingtonpost.com/world/national-security/chinese-government-has-arrested-hackers-suspected-of-breaching-opm-database/2015/12/02/0295b918-990c-11e5-8917-653b65c809eb_story.html"]Chinese government has arrested hackers it says breached OPM database[/interstitial_link]
The personnel files breach involved personal and career information on 4.2 million current and former federal employees. The security clearance breach involved 21.5 million people who applied for security clearances, or had them renewed, since about 2000 and in some cases before.
Of that larger group, about 3.6 million are current or former federal employees. Most of the rest are current or former military or contractor personnel, while about 1.8 million were not applicants but were identified in another person’s application.
Beyond basic identifying information, that breach involved highly personal information on applicants such as past financial or legal troubles, and also fingerprints of some 5.6 million.
Virtually all of current and former federal employees affected by the clearance files breach also were victims of the personnel files breach, bringing the total affected by one or the other or both to above 22 million.
In both cases, the government is providing automatic identity restoration services and up to $1 million in insurance for costs related to identity theft. The services are to last through 2016 in the personnel files breach and through 2018 in the clearance files breach.
However, affected persons have to enroll to gain additional free identity and credit monitoring services.
Some 1.1 million of those affected by the personnel files breach have done so thus far since those notices started being sent in June, according to OPM press secretary Sam Schumach. He said OPM does not know how many current or former federal employees are among the 1.5 million who have signed up for the added services in the clearance files breach since those notices started in October–nor does it know how many enrolled for both.
Some who have received notices have expressed reluctance or refusal to turn over the personal information required to sign up. In addition to the personal identification numbers, or PINs, included in the notices, they are asked to provide their Social Security numbers, birth dates and other personal information.
One recipient said that after starting the sign-up process online, “I stopped there. Why should I give that information? Isn’t that the purpose of the identifying PIN number?” she said in an email asking to remain anonymous to protect her privacy. “I’m not convinced this is not yet another scam.”
Schumach said the contractors need that information to start the credit and identity monitoring services, since OPM did not give them full Social Security numbers, only the last four digits plus the PIN.
OPM meanwhile has set up a website and phone number, 866-408-4555, for those who believe they should have received a notice but haven’t; they are advised to wait until at least next week, however, since they may yet get a letter. The letters were sent out randomly.
That center also has services for those who did receive a personal identification number but lost it. A replacement number will be sent, although the process will take up to four weeks.