In the wake of the devastating hack of the Office of Personnel Management (OPM), nearly 22 percent of the 4.2 million victims who had their personal information exposed subsequently enrolled with CSID, a company that provides credit and identity theft protection services. Prior to the OPM hack, only between 3-5 percent of victims opted into these services.
Furthermore, an OPM spokesman said that even those who did not proactively enroll will receive identity restoration services, which automatically restore credit and assist with any legal proceedings in the event of personal information being used for nefarious purposes.
The number of victims signing up for post-hack protections is quite unprecedented--960,000 victims signed up for CSID services, nearly a quarter of all those hacked. By comparison, only 3 percent of the 3.5 million victims of a recent Texas comptroller’s office hack signed up for CSID services. The demand for such services is even lower in the private sector: in the recent massive hack of the insurance giant Anthem, only 0.5 percent of the 80 million victims who had their information exposed enrolled in protection services.
In an interview with Government Executive, CSID co-founder and President Joe Ross attributed the high rate of enrollment to a combination of “circumstances and calculated effort.”
After the hack, CSID collaborated with OPM to ensure that every current and former employee affected would receive a notification via email or Postal Service. If a “return-to-sender” message was encountered, CSID went into the USPS national registry to attempt to find an updated address. These measures, coupled with heavy press coverage, drove numbers of enrollment to unexpected levels, Ross explained.
Ross said that neither CSID nor OPM made a concerted effort to encourage those contacted victims to enroll, however CSID set up an easy-to-use Web portal for that purpose. Still, CSID was “caught off guard” by the number of individuals enrolling for protection services; both employees and their advocates began complaining of long wait times and poor customer service.
Winvale, the company that won OPM’s contract and in turn contracted CSID, collected a flat fee of $21 million. Similarly, CSID collected a flat fee based on the size of the hacked population.
Ross said that CSID’s services go beyond simple monitoring of credit, remarking “Your IPhone can do that.” Hack victims will be instantly notified if their name or address is falsely given in connection to a crime or added to a sex offender list. Notifications will also be sent in the event of address changes, or if personal information is posted on the “Dark Web.”
OPM has started “ongoing discussions” with bidding candidates for a contractor that will offer protection services to the 21.5 million people affected by the background investigations data breach, which included not only federal employees and contractors, but their family members as well as applicants. Potential candidates are warned that their services will have to be geared for an extraordinarily high number of users, and that the demand for services could be in excess of 20 percent. Bidders on the new OPM contract will have to take higher enrollment rates into account, says Ross, noting that “we set the bar, not just for the take rate but also the breach response product.”
Winvale CEO Kevin Lancaster confirmed to Government Executive that his company is already expected to make an attempt for this second contract, saying that while the victims of the government hack “took it a lot more serious”, he hopes that the victims of the second hack will react in a similar fashion, “because this is a serious problem.”