Press Releases

Warner Questions OPM's Handling of Credit Monitoring Contract

OPM hack victims have complained about accessibility and quality of service provided by credit monitoring contractor CSID; Senator also raises concerns that contract was not properly awarded by OPM

Jun 19 2015

WASHINGTON – U.S. Sen. Mark Warner (D-VA) today wrote to Office of Personnel Management (OPM) Director Katherine Archuleta, raising concerns about the performance of the contractor OPM hired to provide credit monitoring services and identity theft protection for victims following the data breach at the agency affecting at least 14 million federal employees.  

In the letter, Sen. Warner highlights complaints he has received from constituents about long wait times and unreliable or inaccurate services being provided by the contractor Winvale via subcontractor CSID, and questions whether Winvale/CSID has the necessary experience and capacity to protect millions of federal workers from identity theft.

“As you are well aware, I have a large number of constituents in Virginia who are current, former or retired federal employees, and in the past two weeks, I have heard complaints from many of them about the poor quality of service provided by CSID. My constituents have reported that the website crashes frequently, and that the company’s dedicated hotline regarding the OPM breach has incredibly long wait times. Wait times of over an hour are not uncommon. Even as I write, CSID is reporting a wait time of approximately 90 minutes to speak with a representative,” the Senator wrote. “Virginians have also expressed frustration and disappointment with the quality of the information CSID has provided them. Many have reported receiving inaccurate or out-of-date information regarding their credit history, which calls into question CSID’s ability to appropriately protect them from fraud and ID theft.”

Added Sen. Warner, “Needless to say, I am deeply troubled by these reports. OPM must hold CSID accountable for timely and accurate responses to federal employees who are rightfully concerned about the impact of this breach. If the company is unable to handle the volume resulting from a breach of this size, the contract should be terminated and awarded to a company that can.”

Sen. Warner also asked OPM to provide information regarding the procurement process used to award Winvale/CSID the contract. According to records at FedBizOpps.gov, the online database of federal government contracting opportunities, the solicitation was open for a period of just 36 hours and was awarded in less than a week, raising questions as to whether OPM could have inappropriately attempted to steer the contract award to CSID.

“As it stands, at least 14 million federal employees have had their personal and financial information exposed and are now, through no fault of their own, at risk for potential fraud and identity theft. OPM has an obligation to take this threat seriously,” wrote Sen. Warner. “The agency’s awarding of this contract suggests, however, that protecting employees exposed by the breach is not the top priority for OPM that it should be. We expect that OPM will act quickly to correct any such impressions.”

Last week, Sen. Warner led his colleagues from Virginia and Maryland in calling on OPM to do more to protect federal employees whose personal information was compromised as a result of the massive breach, including pushing OPM to provide “a significantly longer period of credit monitoring than the current proposed 18 months.”

June 19, 2015

 

Hon. Katherine Archuleta

Director, U.S. Office of Personnel Management

1900 E Street, NW

Washington, DC 20415-1000

 

Dear Director Archuleta:

I write today to follow up on some important questions that must be answered in the wake of the Office of Personnel Management’s (OPM) June 4, 2015 announcement that a data breach of its information technology systems and data had compromised the Personally Identifiable Information (PII) of millions of current and retired federal workers.

Following that announcement, OPM announced that victims of this breach would be eligible for 18 months of identity theft protection including credit monitoring and fraud insurance through CSID, a company that specializes in identity theft protection and fraud resolution. I have already expressed my concerns that federal workers deserve more than 18 months of credit monitoring following a breach of such enormous size and scale.

Since that letter, additional information has come to light that raises questions about OPM’s awarding of this $20 million contract to CSID, and whether CSID has the expertise and capacity to provide the services for which it was contracted. I write today to seek answers to those questions and bring to your attention the poor performance of the contractor to date. 

As you are well aware, I have a large number of constituents in Virginia who are current, former or retired federal employees, and in the past two weeks, I have heard complaints from many of them about the poor quality of service provided by CSID. My constituents have reported that the website crashes frequently, and that the company’s dedicated hotline regarding the OPM breach has incredibly long wait times. Wait times of over an hour are not uncommon. Even as I write, CSID is reporting a wait time of approximately 90 minutes to speak with a representative.

Virginians have also expressed frustration and disappointment with the quality of the information CSID has provided them. Many have reported receiving inaccurate or out-of-date information regarding their credit history, which calls into question CSID’s ability to appropriately protect them from fraud and ID theft. Others have reported extreme difficulties with obtaining information from CSID regarding the terms and conditions of the $1 million in identity theft insurance they have been offered as part of CSID’s contract with the federal government. I also question CSID and OPM’s judgment in contacting victims by email with a recommendation that they click on a link to CSID’s website to sign up for credit monitoring – a violation of basic cybersecurity protocols that employees should never click on unfamiliar links because they risk exposing employees to scammers’ phishing attempts.

Needless to say, I am deeply troubled by these reports. OPM must hold CSID accountable for timely and accurate responses to federal employees who are rightfully concerned about the impact of this breach. If the company is unable to handle the volume resulting from a breach of this size, the contract should be terminated and awarded to a company that can.

The company’s substandard service is especially troubling given the way in which OPM awarded CSID this contract.  According to FedBizOpps.gov, the online database of federal government contracting opportunities, OPM posted a Blanket Purchase Agreement (BPA) Request for Quotation (RFQ) for “Privacy Act Incident Services” on May 28 at 11:33 a.m. with a response deadline of May 30 at 11:59 p.m. – providing companies with a period of just 36 hours in which to evaluate OPM’s terms and submit a bid for the contract. During that time, OPM amended the solicitation three times. On June 5 – less than a week after the initial RFQ – OPM awarded the contract to CSID via main contractor Winvale Group LLC.

According to procurement experts, such a short turnaround time is highly unusual and raises suggestions that OPM could have intentionally steered the contract to CSID. While there was and remains a time-sensitive imperative to protect the personal information of our federal workers, the General Services Administration (GSA) is already equipped to assist agencies in quickly setting up credit monitoring services in the event of a breach. In 2006, following a theft that exposed the personal information of millions of veterans, their spouses, and active-duty military personnel at the Department of Veterans Affairs, the GSA awarded BPAs to three companies to assist Federal agencies needing credit monitoring services. As GSA noted at that time:

“In the wake of recent incidents that threatened the confidentiality of personal information, this action by GSA will allow Federal agencies to take advantage of significantly reduced unit pricing and volume discounting available through these agreements.  They can also select different levels of credit monitoring services depending on the degree of vulnerability, risk, and protection.

“The BPAs also eliminate separate contracting and open market costs that result from separate agencies searching for sources, developing technical documents and solicitations, and evaluating offers.  Significantly reduced pricing, strong oversight and reporting, and excellent customer service from these commercially available credit monitoring services are now available on a government-wide basis.”

GSA made three awards under the BPA to two large national companies, Equifax Inc. and Experian Consumer Direct, as well as Bearak Reports, a small woman-owned firm in Massachusetts. It is unclear whether Equifax or Experian bid on the RFQ, but Bearak has publicly said that it was unaware of the OPM solicitation, and that the company would have bid if it had known. This raises questions as to whether OPM followed all appropriate federal procurement protocols in awarding this contract.

It is possible that the decision to award this contract so quickly would raise fewer questions if the contractor was known as an expert in credit monitoring. However, a recent press report noted that the company is “is thought of as a company that helps others get on the GSA schedules, prepare proposals and the like, and their GSA schedules are for things such as lab equipment and IT software/services, but there is nothing about credit monitoring, insurance or similar offerings.”

As a result, I also request that you provide answers to the following questions:

  • To the best of your knowledge, how did CSID learn of the RFQ?
  • Did OPM receive bids from any companies other than CSID?
  • Why did OPM choose not to pursue a bid through GSA, an agency established by Congress in order to cut down on wasteful overhead and administrative costs by centralizing the procurement process?
  • If the contract was awarded based on urgency, under federal procurement guidelines, OPM could have properly awarded a sole-source contract for a period of 12 months. How does OPM justify awarding what appears to be a sole-source $20 million contract with four one-year renewal options in this case?

As it stands, at least 14 million federal employees have had their personal and financial information exposed and are now, through no fault of their own, at risk for potential fraud and identity theft. OPM has an obligation to take this threat seriously. The agency’s awarding of this contract suggests, however, that protecting employees exposed by the breach is not the top priority for OPM that it should be. I expect that OPM will act quickly to correct any such impressions.

Sincerely,

 

Mark R. Warner

U.S. Senator