The Office of Personnel Management appears to be overpaying for an identity theft insurance program it rolled out to protect more than 20 million current and former U.S. government employees whose personal information was exposed in the agency’s massive 2015 data breach, a government watchdog said.
The newly released report by the Government Accountability Office notes that OPM is providing coverage at a level that is “likely unnecessary” because “claims paid rarely exceed a few thousand dollars.”
Exacerbating costs further is the fact that the government do not know how many affected individuals might have signed up for two different government identity theft monitoring programs that essentially offer the same thing.
After the breach was acknowledged, OPM contracted two firms, Winvale Group and ID Experts, to protect government employees that had their personal information exposed in the personnel records breach and separate breach of background investigation data.
“OPM has estimated that about 3.6 million people were affected by both breaches and therefore were offered identity theft services under both contracts,” the report reads. “The duplicative services offered to the two groups of affected individuals overlapped by more than a year.”
The government has paid $28.9 million to Winvale and another $209.1 million to ID Experts for their services.
“For the Winvale contract, about 25 percent, or very roughly 1 million people, of those offered services had signed up as of December 2016,” GAO Assistant Director Jason Bromberg told CyberScoop. “For the ID Experts contract, about 12 percent, or roughly 2.5 million people, of those offered services had signed up as of July 31, 2016.”
Congress originally mandated that OPM provide all victims with 10 years worth of credit and identity theft monitoring and restoration services, including a $5 million insurance plan. According to GAO, this blanket approach may not have been the most efficient because it essentially overestimated the damages caused by the breach. Cheaper, more customizable service plans could have done the job, the report states, and potentially cost less.
The OPM breach is widely attributed to Chinese intelligence services — a group that sought information from the operation rather than financial wealth. No indictments have been made in the case.
Experts say that there are no known, verified instances of stolen OPM data being bought, sold or traded online by cybercriminals.