The letter came in on a Monday. Nicolle Gallo didn't think she would get one: It's been three years since she worked for the government. And besides, she was a congressional staffer, and she thought most of the hack victims had worked in the executive branch.
The letter, signed by Office of Personnel Management CIO Donna Seymour, expressed "regret" for a data breach at the agency, and informed Gallo that her identifying data had likely been stolen.
"You are receiving this notification because we have determined that the data compromised in this incident may have included your personal information, such as your name, Social Security number, date and place of birth, and current or former address," the letter read.
Gallo was just one of 4.2 million current and former federal workers caught up in a breach of OPM servers that took place in December 2014. Of that group, 3.6 million individuals were also affected by a separate, much larger breach of background-check data made public last week. Between the two incidents, more than 22 million individuals—including federal workers' spouses, children, and associates—had their personal data compromised.
Although the White House has not said who was behind the attacks, officials have privately connected both to China. After OPM announced the first breach, the agency's director, Katherine Archuleta, spent days defending her actions in a series of heated congressional hearings and briefings, as more lawmakers added their voices with each passing day to a growing chorus calling for her to step down. After the scope of the second breach was made public last week, Archuleta announced her resignation.
The day after Gallo's notification arrived in the mail, she spent half an hour signing up for the credit-monitoring and identity-fraud-protection service OPM offered her free of charge for 18 months, entering data like her passport number and health insurance information.
And that was that. Gallo, now vice president of Ditto Public Affairs in New York City, has not since been contacted by OPM or CSID, the contractor providing the 18 months of services. "All the information I received was from that letter," she said, "which is a little concerning because you give the government the service and your time and basically all of your information, and it doesn't seem that they are equipped to deal with this 21st-century problem."
The services offered to the past and present federal employees affected by the data breach are a comprehensive set of tools that allow them to monitor their credit and keep an eye on their identifying information. CSID monitors public records to make sure enrolled individuals' names, addresses, and Social Security numbers are not used fraudulently, and provides $1 million insurance in the case of identity theft.
Monitoring services like CSID catch many—but not all—cases of attempted identity theft, says Eric Warbasse, senior director of financial services and breach response at LifeLock. Some forms of identity theft, like tax fraud, are nearly impossible to detect until they've happened.
That's when "restoration" or "remediation" comes in: The affected individual works with a specialist to restore his or her identity and scrub false information from records. Sometimes this process is quick, but it can take as long as six months or more in difficult cases like tax fraud.
OPM said it will offer similar services—for three years rather than 18 months—to the 21.5 million individuals affected by the second breach, although it has not yet found a contractor to do so.
CSID, the contractor handling Gallo's case along with hundreds of thousands of others who signed up for the service, came under fire for its handling of the notification process and for long phone wait times at its call centers. OPM said last week it is partnering with the Defense Department to look for a provider for the second round of notifications and fraud protection.
But identity-fraud-protection services are not a complete cure for individuals who have had their data compromised, says Costis Toregas, associate director of the Cyber Security Policy and Research Institute at George Washington University.
Toregas, who has worked with the Department of Homeland Security and believes that his own personal information is likely in the hands of a third party, says services like CSID and LifeLock can "lull you into a false sense of protection. 'Aha, since these guys are looking for me, I'm impregnable.' You're not impregnable. You can be hacked."
Further, given the mammoth scale of the data breaches at OPM, providers will have to provide a "brute force and simple-minded" service, taking a once-size-fits-all approach that Toregas says limits its effectiveness.
"I think it's wonderful that the government is offering some support," Toregas said. "But in my mind, whatever they offer is not going to be enough. It's not going to be helpful."
When she was offered 18 months of protection after her data had been compromised, Gallo said she was initially skeptical. "At this point, somebody across the world could have my information—I have no idea—and the only thing protecting me is this service," she said.
Many of her friends, she said, signed up for LifeLock's service out of pocket rather than accepting the year and a half of free CSID coverage, "because they didn't want to do anything under the government's watch."
The limited time frame of protection, too, made Gallo nervous. "It's a little ridiculous," she said, that after the free period ends, "I'm going to probably have to pay out of pocket to protect my own identity." She said she plans to do so.
"After 18 months, after three years, my information is still going to be out there forever. Given that me and other people working for the government, we served in the government and all that, I think we should be protected for life," she said.
Some in government have proposed just that. A bill sponsored by Sen. Ben Cardin of Maryland and Del. Eleanor Holmes Norton of the District of Columbia would provide the 22 million current and former federal employees who had their information compromised with lifetime identity-theft protection. And OPM said last week that it's developing a proposal to provide every federal worker with those services.
But given that covering 4.2 million people cost the government more than $20 million, expanding the protective umbrella to 22 million or more individuals could come with a big price tag. A spokesman for Norton said there is no cost estimate for the lawmakers' proposal yet.
Warbasse, LifeLock's director of breach response, said the length of identity-theft protection may not actually matter a whole lot. "If somebody has been victimized through identity theft "¦ their data is going to be sold and resold and it is not perishable anymore," Warbasse said. "It has no half-life. For the rest of their life, they are vulnerable to continued hacks."
We have such a limited understanding of the lasting effects of data breaches that there is no sense in offering one group of individuals 18 months of coverage and another group three years of coverage, Toregas said. "We don't know enough about the impact of the loss to say, 'Ah, you will suffer twice as much, so I will extend it for twice as long.' We just don't know."
The American Federation of Government Employees, a union of federal workers, agrees. The union's national president said in a Monday statement that it's "outrageous" to provide a separate tier of service to victims of the second OPM breach, calling the practice a "double standard."
In the end, experts say, whether an individual has been caught up in a high-profile breach or not, it's likely his or her information is in the hands of a third party.
"If you're one of the 280 million people whose data wasn't compromised in the OPM breach, you may think that you're secure, that your data is secure and you're not at risk," Warbasse said. "We've crossed that line. Everybody's data is at risk and vulnerable, and has probably been compromised multiple times, if they're an adult."