OPM looks to wrap breach notification by early December

The Office of Personnel Management is on track to finish notifying 21.5 million victims of the agency's massive data breach some six months after the intrusion became public.

The final notification letters should be sent by the second week of December, OPM spokesperson Sam Schumach told FCW. The agency has already mailed 14.5 million letters and is printing 800,000 each day.

"We're getting into the final push," Schumach said.

That final push will include old-fashioned letters and a brand-new web portal.

OPM has publicly characterized its hack as two separate breaches -- the first involving 4.2 million personnel records and the second involving a 21.5 million-person background check database -- but internal documents obtained by FCW indicate that the breach was a single sustained assault.

Notifications for the first breach were sent over the summer, but after security concerns about email and allegations of a botched, rushed contract, OPM slowed down, enlisted the Defense Department's help and chose snail mail for the second round of notifications.

Along with hard-copy notifications, the agency will launch OPM Verify, a public portal with two aims: letting victims who haven't yet received their notification letters confirm their status and helping fill the gaps in OPM's address list. Schumach said the portal will be made public in the next week or so.

But how much good will it do?

"Even if you haven't gotten your letter, you kind of know you're on the list and you should be taking steps accordingly," said Larry Allen, president of Allen Federal Business Partners. "If your neighbors and colleagues were breached, you probably were breached, too."

Coming this late in the notification process, the portal will be a "public-facing feel-good thing" that does little to help affected feds, Allen said, adding that few people will likely learn their victim status from the portal because most of the notification letters will have been sent by the time it goes live.

Although Schumach said the portal will also deliver information about breach-mitigation services, Allen questioned its overall usefulness and wondered why scarce IT dollars were being funneled into the project, which involves a non-competitive $1.8 million award from the Defense Information Systems Agency to tech firm Advanced Onion.

On the mailing list front, Schumach confirmed that the agency is pursuing other methods to track down correct addresses for the small percentage of letters that are being returned as undeliverable, including tapping the U.S. Postal Service's databases.

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


  • IT Modernization
    Eisenhower Executive Office Building (Image: Wikimedia Commons)

    OMB's user guide to the MGT Act

    The Office of Management and Budget is working on a rules-of-the-road document to cover how agencies can seek and use funds under the MGT Act.

  • global network (Pushish Images/

    As others see us -- a few surprises

    A recent dinner with civil servants from Asia delivered some interesting insights, Steve Kelman writes.

  • FCW Perspectives
    cloud (Singkham/

    A smarter approach to cloud

    Advances in cloud technology are shifting the focus toward choosing the right tool for the job and crafting solutions that truly modernize systems.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.