Nearly three months after a pair of cyberattacks at the Office of Personnel Management were made public, the government has awarded a contract to begin contacting 21.5 million individuals who have not been notified that their personal information was compromised.
It is also lining up a group of contractors to keep on call to provide cleanup services for future data breaches. Under an agreement announced Tuesday, any federal agency will be able to call on one of the contractors to notify and provide identity-theft protection services to individuals affected by a data breach.
Two contractors are cleared to provide services to "populations of significant size," and one is available to provide "routine data-breach responses." The agreement is valid for five years.
One of the contractors in the first group—Identity Guard—has been tasked with a big job right out of the gate.
When OPM announced in June that more than 4 million current and former federal workers had their personal information compromised by a cyberattack, it began almost immediately to notify the individuals and sign them up for identity-theft response services.
But when the agency announced the size of a second breach, which targeted a database that included more sensitive information—names, addresses, Social Security numbers, and more than a million fingerprints—it did not have a provider lined up to notify the 21.5 million individuals whose information was caught up in the attack, or to provide them with identity-theft protection services.