OPM looks to wrap breach notification by early December

With some 14 million letters already out and millions more expected to hit mailboxes by the end of the month, the Office of Personnel Management expects to wrap up notifications to breach victims in the coming weeks.


The Office of Personnel Management is on track to finish notifying 21.5 million victims of the agency's massive data breach some six months after the intrusion became public.

The final notification letters should be sent by the second week of December, OPM spokesperson Sam Schumach told FCW. The agency has already mailed 14.5 million letters and is printing 800,000 each day.

"We're getting into the final push," Schumach said.

That final push will include old-fashioned letters and a brand-new web portal.

OPM has publicly characterized its hack as two separate breaches -- the first involving 4.2 million personnel records and the second involving a 21.5 million-person background check database -- but internal documents obtained by FCW indicate that the breach was a single sustained assault.

Notifications for the first breach were sent over the summer, but after security concerns about email and allegations of a botched, rushed contract, OPM slowed down, enlisted the Defense Department's help and chose snail mail for the second round of notifications.

Along with hard-copy notifications, the agency will launch OPM Verify, a public portal with two aims: letting victims who haven't yet received their notification letters confirm their status and helping fill the gaps in OPM's address list. Schumach said the portal will be made public in the next week or so.

But how much good will it do?

"Even if you haven't gotten your letter, you kind of know you're on the list and you should be taking steps accordingly," said Larry Allen, president of Allen Federal Business Partners. "If your neighbors and colleagues were breached, you probably were breached, too."

Coming this late in the notification process, the portal will be a "public-facing feel-good thing" that does little to help affected feds, Allen said, adding that few people will likely learn their victim status from the portal because most of the notification letters will have been sent by the time it goes live.

Although Schumach said the portal will also deliver information about breach-mitigation services, Allen questioned its overall usefulness and wondered why scarce IT dollars were being funneled into the project, which involves a non-competitive $1.8 million award from the Defense Information Systems Agency to tech firm Advanced Onion.

On the mailing list front, Schumach confirmed that the agency is pursuing other methods to track down correct addresses for the small percentage of letters that are being returned as undeliverable, including tapping the U.S. Postal Service's databases.