The 2015 Office of Personnel Management data breach is one that left the agency jittery and uncertain over their next move.
Two years later, the government agency still seems to be struggling to make up for the breach.
According to a government watchdog, the OPM seems to be overcompensating for the data breach with two costly identity theft insurance programs that cover the estimated 20 million U.S. government employees affected in the massive breach.
A report released by the Government Accountability Office echoes the sentiments of the government watchdog, stating that the OPM has drastically overshot the level of coverage needed for a policy that ordinarily attracts compensation of not more than a few thousand dollars.
Congress is largely to Blame for the Overestimation of 2015’s Data Breach
Shortly after the breach was publicized, the OPM signed on two identity theft protection firms, ID Experts and Winvale Group, to help mitigate the damages caused.
The two firms essentially offered similar programs to the government employees whose personal information and background investigation data had been accessed simultaneously in the data breach.
OPM was able to determine the total number of people affected by both breaches to be around 3.6 million, 2.5 million of whom signed up for the services of ID Experts while the remaining 1.1 million opted for Winvale Group.
For their services, the government paid a grand total of $238 million.
As significant as the breach was, Congress’ mandate to the OPM to offer the victims of the data breach 10 years’ worth of identity theft protection coverage in addition to the ridiculous $5 million insurance plan was deemed as a blatant overreaction.
The Government Accountability Office warned that this blanket approach to the breach was the farthest thing from the prudent course of action to take since it largely overestimated the extent of the damages brought on by the data breach.
It also criticized the lack of involvement of The Office of Management and Budget which should have helped analyze the situation and come up with a much cheaper alternative than the OPM’s decision to opt for costly identity theft protection services.
In light of the OPM’s reaction, GAO also called on OBM to prevent a repeat situation where an agency is forced to insure one person for two different data breach incidents, according to the report.
OPM’s Overpayment May Distort the Identity Theft Insurance Market
One unexplored implication of the OPM’s overzealous compensation is the effect it may have on the identity theft insurance market.
The report said that private companies that are not as resourceful as the government may find it difficult to match the levels of compensation exhibited by the OPM after the data breach.
Furthermore, the overpayment could intimidate the average citizen from opting for identity theft insurance, fearing that the premiums could be just as ridiculously overstated, says GAO.
Congress’s short leash on federal agencies has been put on the spotlight several times in the course of the investigation following the data breach.
The sensible course of action, according to a government auditor, is to give these agencies sufficient flexibility to investigate, analyze, and determine the acceptable standard for insurance coverage for the data breach victims.
No Traces of Stolen OPM Data Seen Anywhere as of Yet
As is the custom these days, stolen information often ends up appearing on the dark web with a price tag attached to it.
The massive OPM data breach would have provided a lucrative payday for the cyber criminal who had managed to break the government’s defenses, but since there have been no reports of the data being traded anywhere online, the possibility that the data was stolen to be sold has so far been ruled out.
It is said that hackers affiliated with the Chinese government could be behind what now appears beyond doubt to have been an intelligence reconnaissance mission that was not financially motivated.
So far, there have been no reported indictments relating to the data breach.