The Office of Personnel Management (OPM) has awarded a $133 million contract to a private firm in an effort to provide credit monitoring services for three years to nearly 22 million people who had their Social Security numbers and other sensitive data stolen by cybercriminals. But perhaps the agency should be offering the option to pay for the cost that victims may incur in “freezing” their credit files, a much more effective way of preventing identity theft.
Not long after news broke that Chinese hackers had stolen SSNs and far more sensitive data on 4.2 million individuals — including background investigations, fingerprint data, addresses, medical and mental-health history, and financial history — OPM announced it had awarded a contract worth more than $20 million to Austin, Texas-based identity protection firm CSID to provide 18 months of protection for those affected.
Soon after the CSID contract was awarded, the OPM acknowledged that the breach actually impacted more than five times as many individuals as originally thought. In response, the OPM has awarded a $133 million contract to Portland, Ore. based Identity Theft Guard Solutions LLC.
No matter how you slice it, $133 million is a staggering figure for a service that in all likelihood will do little to prevent identity thieves from hijacking the names, good credit and good faith of breach victims. While state-sponsored hackers thought to be responsible for this breach were likely interested in the data for more strategic than financial reasons (recruiting, discovering and/or thwarting spies), the OPM should not force breach victims to pay for true protection.
As I’ve noted in story after story, identity protection services like those offered by CSID, Experian and others do little to block identity theft: The most you can hope for from these services is that they will notify you after crooks have opened a new line of credit in your name. Where these services do excel is in helping with the time-consuming and expensive process of cleaning up your credit report with the major credit reporting agencies.
Many of these third party services also induce people to provide even more information than was leaked in the original breach. For example, CSID offers the ability to “monitor thousands of websites, chat rooms, forums and networks, and alerts you if your personal information is being bought or sold online.” But in order to use this service, users are encouraged to provide bank account and credit card data, passport and medical ID numbers, as well as telephone numbers and driver’s license information.
The only step that will reliably block identity thieves from accessing your credit file — and therefore applying for new loans, credit cards and otherwise ruining your good name — is freezing your credit file with the major credit bureaus. This freeze process — described in detail in the primer, How I Learned to Stop Worrying and Embrace the Security Freeze — can be done online or over the phone. Each bureau will give the consumer a unique personal identification number (PIN) that the consumer will need to provide in the event that he needs to apply for new credit in the future.
But there’s a catch: Depending on which state in which you reside, the freeze can cost $5 to $15 per credit bureau. Also, in some states consumers can be charged a fee to temporarily lift the freeze.
It is true that most states allow consumers who can show they have been or are likely to be a victim of ID theft to obtain the freezes for free, but this generally requires the consumer to file a police report, obtain and mail a copy of that report along with photocopied identity documents, and submit an affidavit swearing that the victim believes his or her statement about identity theft to be true.
Unsurprisingly, many who seek the comprehensive protection offered by a freeze in the wake of a breach are more interested in securing the freeze than they are untangling a huge knot of red tape, and so they pay the freeze fees and get on with their lives.
The OPM’s advisory on this breach includes the same boilerplate advice sent to countless victims in other breaches, including the admonition to monitor’s one’s financial statements carefully, to obtain a free copy of one’s credit report from annualcreditreport.com, and to consider filing a free and/or fraud alert with the three major credit bureaus. Nowhere does the agency mention the availability or merits of establishing a security freeze.
If you were affected by the OPM breach, or if you’re interested in learning more about what you can do to protect your identity, please read this story.