The pace of the government’s response has drawn complaints from some consumer advocates. “It’s incredible how long this is taking OPM,” said Ed Mierzwinski, the federal consumer program director at U.S. PIRG, the federation of state public interest research groups.
The government says it's almost done mailing out notifications to people whose information was stolen, but it's hard to verify how many people have received them because some may have gotten lost in the mail or been sent to old addresses.
The government started mailing notifications about the background investigation breach at the end of September, and the process is still underway. It has already completed notifications for a smaller, overlapping breach of a personnel records database disclosed around the same time.
In a Tuesday blog post announcing the new site, acting OPM chief Beth Cobert said the agency is “on schedule to finish the mailing in the next two weeks.”
The government’s latest figures, from roughly a week ago, show that 4 percent of the notifications have been returned as undeliverable, according to OPM press secretary Sam Schumach. “We hear from USPS that anywhere around 2 to 3 percent is normal for a mailing of this size, so we’re very close to that figure,” he said.
But even if a person has not received a letter by the middle of this month, that doesn’t necessarily mean his or her data was safe. Instead, it may show that the government couldn’t find a valid address for the person, according to the blog post.
Part of the issue is that the information stolen potentially goes back decades. Given the length of time covered by the files, people may have moved around a lot — and that makes them harder to track down. OPM has turned to government databases, including payroll files, retiree systems and the USPS change-of-address networks, to try to find people, Schumach said. It has also purchased address information from commercial sources, he said.
Those efforts still haven’t found everyone, but the new Web site could help.
The site doesn’t offer immediate confirmation, but instead it allows the government to review submissions and respond with a letter in about two to four weeks. And users have to enter a lot of data through the site, including his or her Social Security number, date of birth, and e-mail and home address, to get the investigation rolling.
Because the government is encouraging people who suspect they were caught up in the breach to enter personal details through the site, it should help the government track down victims.
“Part of its job, other than verifying for individuals if they were or were not affected, is providing another method to confirm their current contact information,” Schumach said. In addition to the site, there’s a phone number for the new “verification center,” 866-408-4555, that people can call to get the investigation process started.
In addition to the site, there's a phone number for the new "verification center," 866-408-4555, that people can call to get the investigation process started.
Some question why the government took so long to get these sort of checks set up for the background investigation breach. "Why couldn't they put a website like that up six months ago?" asked Mierzwinski.
But the agency caught heat for lengthy wait times at a similar contractor-run call center system for the smaller personnel files breach. And it likely felt a need to be extra cautious because of the size and sensitivity of the data involved in this one.
“We wanted to make sure we're securing individuals' information,” Schumach said.
If the government realizes that someone’s data was breached after going through the new verification center, its mailed response will include information about how to enroll in the three years of free credit monitoring and identity protection services it is offering victims.
So far, nearly 1.2 million individuals have signed up for the programs protection services, according to Cobert’s post — a small fraction of those whose data was stolen.
But some consumer advocates have argued that those protections aren't enough because breached data may still be used for things like identity theft or fraud once they expire. They suggest taking other steps, like freezing your credit, to help prevent those kinds of problems, instead of catching them once they've already happened.