Full dollar cost of OPM breach still a giant unknown

When you add up credit monitoring costs and cybersecurity spending, fallout from the OPM breach could potentially rocket past $1 billion. How much will be well spent? And what unknown costs are lurking?

Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

With the long-awaited announcement of a second contract for credit monitoring and other mitigation services at the beginning of this month, it might seem as if Uncle Sam can close the Office of Personnel Management breach ledger.

But the number OPM trumpeted on Sept. 1 – $133 million – doesn’t begin to tell the whole story.

The true costs of the breach will be much greater – and many of them remain unknown.

Credit monitoring is pricey – and maybe unnecessary

The Sept. 1 award to Identity Theft Guard Solutions LLC, doing business as ID Experts, will cover credit monitoring and identity theft insurance up to $1 million for all of the affected feds, civilians and their dependent children (roughly 28 million people).

Fully executed, the contract will cost the government just shy of $330 million through December 2018.

But of course, that’s not the full cost of credit monitoring services generated by the OPM breach. Despite the fact that the massive exfiltration of personal data was one sustained assault, OPM classified the debacle as two separate breaches, and awarded a $20 million contract for the mitigation of the “first” breach (affecting roughly 4 million people) in a single week to the firm CSID.

CSID’s work was plagued with problems, and Sen. Mark R. Warner (D-Va.) remarked that the lightning turnaround was “highly unusual,” echoing other calls for an investigation into the award process.

In response, OPM went to the opposite end of the spectrum for the second round, enlisting the help of the General Services Administration and Naval Sea Systems Command and taking months to award the contract.

The resulting contract for $330 million fell under the umbrella of a five-year, $500 million GSA blanket purchase agreement.

Key differences between the “first” and “second” breach response contracts: The CSID contract covers only 18 months of services, while the ID Experts contract covers three years. In the former, CSID had to provide notifications to individuals while in the second, ID Experts is off the hook because the Defense Department will issue notifications.

That’s another eventual cost.

DoD will bill the rest of the government for notifications

Beth Cobert, OPM’s acting director, surprised the rest of the government when she penned a July memo informing other agencies they would have to pitch in for credit monitoring. Each agency’s “portion” will be based on the number of affected individuals from each agency, Cobert wrote, though some have noted those numbers would be difficult if not impossible to break down accurately.

The ultimate divisions are still up in the air, but Federal News Radio reported last month that the DoD, likely the outfit with the biggest chunk of potential victims, will pony up $132 million as its share of the credit monitoring costs.

But DoD will get some back by taking a cut for providing the newest round of notifications.

“The costs for these services are still being determined,” DoD spokesperson Valerie Henderson told FCW. “Once determined, OPM will provide DoD funds from the OPM account that contains funds from all government agencies impacted by the recent OPM cybersecurity incident.”

Millions in lifetimes of costs?

Further complicating the cost analysis: the prospect of lifetime credit monitoring.

In lawsuits filed against OPM and OPM officials, the American Federation of Government Employees and the National Treasury Employees Union have both called for the government to provide feds with lifetime protection.

Those suits are still working their way through the courts, but should either prove successful, they would present an additional cost – and it seems no one’s quite sure how much.

OPM spokesperson Sam Schumach told FCW that OPM had not produced a cost estimate for providing individuals with lifetime credit monitoring. The Office of Management and Budget did not return a request for comment on the issue, and both the unions said they had not produced their own cost estimates.

“NTEU continues to pursue lifetime coverage,” affirmed Anthony Reardon, NTEU president, in a statement to FCW. An NTEU spokesperson added, “NTEU does not have a cost estimate.”

“AFGE stands by its demand for lifetime credit monitoring,” an AFGE spokesperson said, adding that the government can only blame itself for any costs incurred.

“We have not produced a cost estimate of such monitoring, but any concern for the cost of remediating the breach went out the window with our members’ personal data,” the spokesperson said. “If the government was concerned about the costs, the time to address that was before the breach, when cost-effective measures could still have been taken to protect our data.”

What’s the use?

The final piece of the puzzle is cybersecurity improvement costs.

Those could be high – OPM’s infrastructure modernization project could top $100 million alone, and that’s to say nothing of cyber sprint costs – but those are costs that likely would have been incurred eventually anyway. Most of the truly “new” costs are associated with credit monitoring and identity theft insurance, and they may prove to be a wasted expense.

“It gives you a false sense of security, a false sense of hope,” said longtime federal consultant Larry Allen. “I don’t think that credit monitoring is going to do much for anyone.”

From the beginning, security experts have been warning that the OPM attack is probably not aimed at exploiting individuals’ financial data.

“The people who hacked this data weren’t after your credit score or the ability to open a MasterCard,” Allen said, noting that if the culprit is the Chinese government, as officials have indicated, then the stolen data will likely be used for blackmail and other, yet unknown espionage purposes.

Maybe credit monitoring won’t help protect anybody, but it could help make exposed individuals feel “loved” by Uncle Sam and less likely to flip when foreign intelligence agencies come calling, Allen posited.

“It’s something,” Allen said of credit monitoring services. “It’s like a gift bag. It doesn’t really matter what’s in it, it’s the thought that counts.”

But ultimately, all the credit monitoring in the world won’t fix America’s underlying security issues, he added.

“Way too many people have security clearances today that don’t need them,” Allen said, noting the massive trove of clearance information made an irresistible, valuable target for foreign adversaries.

The government needs to focus on modernizing systems and culling the ranks of those who hold clearances and privileged access to federal systems, Allen said. “That’s where the investment has to come.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.