The Office of Personnel Management announced Thursday that a breach of a database that contained federal employees' background-check information led to the theft of 21.5 million individuals' Social Security numbers. And the personnel agency said it would notify the affected individuals and supply them with at least three years of credit-monitoring and identity-fraud protection services.
But it has not yet awarded a contract for the notifications or fraud-protection services, or even put out a request for contractors to respond to, according to multiple sources.
OPM press secretary Sam Schumach said Friday morning that the agency is "currently partnering with the Defense Department to identify a private-sector firm that specializes in credit and identity-theft monitoring, in order to provide a comprehensive suite of services designed to help individuals minimize potential risks from this incident."
As of Friday, no OPM request for proposals appeared appeared on an online government repository of contracts and awards.
"OPM hasn't announced a partner for the second set of notifications," said Helen Murphy, account supervisor at INK Public Relations, which represents CSID, the company that provided those services for a smaller OPM hack that was announced in June.
CSID was awarded a contract for more than $20 million in early June to notify the 4.2 million individuals who were affected by a breach of OPM employee files and provide them with 18 months of identification-fraud protection services. Two days after the contract was awarded, OPM publicly announced the breach, and affected federal employees began receiving notifications the next week.
OPM, however, has not reached out to CSID about providing the same services for this second, much larger breach, according to a person with knowledge of the contractor's relationship with the government.
That's despite the fact that OPM entered into a "blanket purchase agreement" with CSID, which would prevent the government from being billed twice for the company's services if an employee were affected by two separate hacks.
The overlap between the individuals affected by the two data breaches is very large: 3.6 million of the 4.2 million people affected by the smaller hack were also affected by the larger one.
Given that CSID charged upwards of $20 million to provide notifications and 18 months of services to 4.2 million people, the price tag for notifying 21.5 million people and serving them for at least three years could potentially be much, much higher.
OPM was harshly criticized by lawmakers for the way it handled the first round of notifications for federal workers. A letter to OPM from Sen. Mark Warner cited long wait times for CSID call centers, website issues, and inaccurate or out-of-date information about enrollees' credit history.
And while notifying affected individuals in June, CSID sent emails that asked them to click a link to receive free credit-monitoring services, a practice which the Virginia Democrat called a "violation of basic cybersecurity protocols that employees should never click on unfamiliar links."
OPM said Friday morning that the agency "is building on the lessons learned for providing services from prior cybersecurity incidents in the public and private sector, including in the personnel records incident. The rationale behind this is to ensure transparency, a fair and open bidding process, and address concerns from Congress."
Along with a number of Republicans in the House and Senate (and two Democratic House members), Warner on Thursday called for OPM Director Katherine Archuleta to step down.
The breach detailed Thursday was larger in scale even than the most extreme reports had indicated, affecting almost 20 million individuals who had undergone background investigations and nearly 2 million others, mostly applicants' families. The compromised data included fingerprint data, addresses, medical and mental-health history, and financial history.
This article was updated with a statement from OPM.