A D.C. federal judge Tuesday gave preliminary approval for a $63 million settlement to go ahead in a class action brought by victims of the 2014 and 2015 Office of Personnel Management data breaches.
In a court order, U.S. district judge Amy Berman Jackson said the figure in the agreement was “fair, reasonable, and adequate, and in the best interest of named plaintiffs and class members.”
The $63 million payout remains subject to a fairness hearing scheduled for Oct. 14.
If it receives final approval, the settlement will bring to an end a long-running class action brought by the U.S. citizens and permanent residents whose personal information was compromised as a result of cyberattacks at OPM and through the breach of electronic information systems operated by contractor Peraton in 2013 and 2014.
The class action is open to citizens who had to spend money remedying issues directly related to the breach, such as paying for credit record monitoring services, and claims may be submitted until Dec. 22.
In 2015, OPM announced it was hit with a series of intrusions understood to be linked to two Chinese government-sponsored groups, which resulted in the compromise of personal information of around 22 million individuals.
A subsequent report by the House Committee on Oversight and Reform found that the earliest known data breach at the agency came in November 2013 but was not detected for years until a private cybersecurity firm was brought in to run forensics.
Before that, malware was found to be lurking on the organization’s data infrastructure dating back to 2012, according to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team.
“The long-standing failure of OPM’s leadership to implement basic cyber hygiene, such as maintaining current authorities to operate and employing strong multi-factor authentication, despite years of warnings from the inspector general, represents a failure of culture and leadership, not technology,” the report stated at the time.
Following the breach, OPM contracted with credit monitoring company ID Experts to provide monitoring services to victims of the breach. According to federal government spending data, the agency has so far spent $248 million on the contract, which has an award ceiling of $416 million.
In an online statement, Daniel Girard, lead counsel for the plaintiffs, said: “The settlement ends a seven-year legal effort to win compensation from the government.”
“The settlement will compensate victims who suffered a financial loss as a result of the hack, providing for minimum payments of $700, even for those with minor expenses,” he added. “The court’s order sets a deadline of December 22, 2022 for class members to submit a claim.”
An OPM spokesperson declined to comment and referred FedScoop to the Department of Justice.