Fraud protection firm defends performance after OPM hack

Fraud protection firm defends performance after OPM hack

The contractor hired to provide credit monitoring services for 4.2 million hacked federal employees is defending its performance amid allegations that it was not equipped to handle the work.

“In our view, this has been a very successful breach response program,” said CSID President Joe Ross, in an interview published Monday in The Washington Post.


Last month, officials revealed that hackers had broken into an Office of Personnel Management (OPM) database, making off with the personnel files of nearly every current and former federal employee.

The government quickly hired CSID, an identity fraud monitoring company, to help notify the millions of victims and get them signed up for 18 months of free protection services. The contract was worth over $20 million.

But questions arose about whether CSID was overwhelmed by the flood of people reaching out to the company.

“The worst thing was the misconceptions going on about us not being able to handle the [response to] the breach,” Ross said.

Federal workers unions reported website crashes and two-plus hour waits on the phone to reach a customer representative.

Ross explained to The Post that the government should not have made the 1-800 number public.

“Every federal employee and contractor was out there calling with questions,” he said.

The company has said that approximately 45 percent of all incoming calls were not from people actually affected by the breach.

“We serviced people who weren’t affected by the breach,” Ross said. “We took a beating early on for doing what in our mind what the right thing to do.”

OPM officials are now on the precipice of awarding another, likely larger, contract to an identity fraud monitoring company for a second breach, which affected 21.5 million people.

That intrusion, which laid bare detailed security clearance forms with extensive personal history information, is expected to result in a much more complex outreach effort.

The government is offering three years of identity theft monitoring services to victims of the second hack.

CSID is hoping to be in the running for this contract, as well.

“Breaches are very emotional experiences,” Ross said. “In D.C. you’re educating on multiple fronts,” including Congress, unions and employees.

“We’ve learned a lot of lessons,” he added. “A lot of the criticism came from people not understanding what the breach process is like."

But the company might have a tough time scoring another contract.

Lawmakers like Sen. Mark Warner (D-Va.) have hammered CSID's performance and accused the OPM of skipping the competitive bidding process. CSID was awarded the agency’s business within 36 hours.

“We did a competitive bidding process and won,” Ross said.

The CSID owner told The Post that 925,000 people have signed up for the monitoring program, seen as a high response rate following a data breach.

Of those people, CSID has sent out roughly 90,000 alerts of suspect activity, although that doesn’t necessarily mean that fraud occurred.

It’s believed that Chinese hackers were behind the digital assault. Most speculate that officials in Beijing are building an espionage database on U.S. workers and not interested in making profits by selling the data on the black market.