As all of our readers are by now no doubt aware, the Office of Personnel Management (OPM) experienced at least two major data breaches beginning late last year which exposed the personal data of millions of current and former federal employees. Recent reports are now suggesting it may be as many as 18 million 32 million individuals who were impacted rather than the 4 million that OPM originally reported.
OPM announced the first breach on June 4 and began sending out notices to federal employees who were impacted by the breach on June 8. Among the advice provided in the letters that went out was an offer for 18 months of free credit monitoring being provided by a company OPM had contracted with to provide the service.
Since FedSmith.com users are nearly all current and former federal workers, we asked our users if they had been impacted by the OPM data breach and what their experiences were with signing up for the credit monitoring service. Here is what we found.
Out of the nearly 4,000 responses we received to the survey, the majority of respondents (69%) were current federal employees. 30% were retired federal employees and about 1% were former (not retired) federal employees.
54% of respondents who identified themselves as current federal employees said that their personal data had been compromised in the data breach while 44% said they still do not know if it had been compromised. However, 67% of retired federal employees do not know if their data had been compromised and only 32% said it had been.
OPM has contacted fewer retired federal employees as well based on these survey results. 61% of retired federal employees said they had not been contacted by OPM, but 59% of current federal employees had been notified by OPM that their data had been compromised. In most cases (85%), OPM contacted individuals via email which is how the agency said they would be distributing the notices.
Despite the high percentage of individuals reporting being contacted by OPM and/or saying their personal data had been compromised, very few individuals had experienced anything that could be seen as suspicious activity related to the data breach (strange emails, suspicious charges, etc). Only 14% reported suspicious activity, the majority of reported activity being phishing emails, unrecognized charges to credit cards, and unsolicited phone calls.
Nearly all respondents (97%) who were contacted by OPM said they plan to take advantage of the free credit monitoring service, and 79% said they had already signed up for it.
Among the respondents who reported signing up for the credit monitoring service, most reported not experiencing any problems with the sign up process. This is particularly interesting given media reports saying that there have been many problems that federal employees have run into with trying to sign up for the service with CSID, the company OPM has contracted with to provide the free credit monitoring. See, for instance, Senator Questions Quality of Service Being Provided to Victims of OPM Data Breach.
95% of respondents who signed up for the free credit monitoring were able to successfully complete the process, and of those who signed up, 74% said they did so without any problems. 21% reported some difficulty and 5% said they experienced many problems.
Of those who reported experiencing many problems, 57% said they were unable to successfully complete the sign up process. These individuals most commonly reported problems such as the site freezing or crashing during the sign up process or failing to sign up online and being told to call and then having to wait on hold for 90+ minutes.
Most respondents (70%) said they were not using a credit monitoring service prior to the OPM data breach, however, 68% of respondents said they are more likely to use one going forward because of the breach. 30% said they were neither more or less inclined to use one.
The comments we received from respondents can generally be summed up in a single word: frustrated.
Many comments indicated that respondents have a lack of confidence in OPM and/or the government to safeguard employees’ personal information, frustration with the sign up process, frustration at OPM’s response (or lack thereof) to the data breach, frustration that agency leaders have not been fired over the breach, and/or frustration that longer, more comprehensive data monitoring plans that go beyond only 18 months are not being offered.
Below is a random sampling of some of the comments we received:
- Not enough information is being given to us – what is OPM hiding?
- I should not have to pay for for a credit monitoring service because our agencies are always behind on security. They should always behead (sic) with the skills and knowledge avaibale (sic) to them.
- The Obama administration needs to take not just this breach, but this one and all previous breaches more seriously. He needs to (sic) more to strengthen the Federal cyber security defenses. He also needs to take strong enough action against those who are committing these security breaches to deter further compromises.
- My government travel card had transactions on it that I had not done. This happened in May. It might be connected, don’t know.
- Why are these severs on the Internet? Take them off and design systems that have an air gap to sensitive information. Delay in retrieval would be worth it. Especially frustrating since the OPM P/W design is so cumbersome and difficult to use. OPM did a good job of securing the data from its legitimate users!
- OPM has done a horrific job at notifying and/or handling this debacle.
- OPM was told that their systems were NOT secure. Director Katherine Archuleta should be FIRED !
- They took much too long to notify us, plus I have heard how poor the credit monitoring service is working… the Union has protested and I would like to see things improve but realistically do not expect to see anything happen
- My PII is required by OPM. I did not have a choice to give them my information. If my PII is illegally used, I am concerned how it will affect me financially, legally, and emotionally. They will provide credit monitoring for 1-1/2 years. What happens after this?
- OPM is downplaying this. No confidence in them.
- Just really disgusted with OPM that PII wasn’t encrypted. As a supervisor, I was diligent about protecting my coworkers info in locked files.
- I think OPM should offer us credit monitoring for life, not just 18 months.
- How does this affect other family members who are in my federal employment records? Do they get free credit monitoring as well? They are potentially more vulnerable to this data breach because no one is warning them to be on the lookout for identity theft.
- there are many of us who have not received any letter from OPM. I’m anxious wondering did it get lost in the mail or if in fact my data was not compromised. This issue needs to be address for all concerned.
- There should be a sponsored class action lawsuit against OPM. Federal employees don’t have choice or control over their personal info. When an agency uses outdated, insufficient, and unencrypted methodologies, they should be toast. We have required annual training on IT security and OPM doesn’t appear to comply with what is provided in the training.
- The fact that my identity had previously been stolen is why I was already signed up with a credit monitoring service, so any attempts on my accounts now would have met with a brick wall.
- OPM should have notified us of the breach sooner. Someone fraudulently filed taxes in February 2015 using my name and social. If notified sooner, I could have taken protective measures. I still have not received my tax refund.
- The federal employees who were NOT affected should be contacted also. It should be explained why their personal data was not hacked while other federal employee data was hacked.
- OPM’s email indicates that they caught the breach because they so careful monitor (sic) their database. They know full well that this is a lie, and that the only reason they found the breach was that a company trying to sell them services found it during a demonstration. They think all Federal employees are idiots apparently. I work for an Agency that is pushing/forcing the public to utilize online services. So, I am supposed to convince our customers that our systems are secure when we cannot even protect or secure the employee’s data?
Our thanks to each of you who took the time to share your feedback in this survey. We know this is a frustrating experience for our users and we wish all of you the best in resolving any problems you have encountered from this unfortunate incident.