What OPM isn’t saying about the true cost of data breaches
It was nice to see the Office of Personnel Management finally release its estimate of current, former and prospective government employees — more than 22 million individuals in total — whose personal information has been compromised in two breaches over the past year.
Many information technology experts and strategic thinkers, however, believe the total will eventually reach above 50 million and may reach more than 100 million. And there are sound reasons why it could be more.
To believe OPM, one must believe that the number of actual job seekers and background review subjects (notice I did not say security clearance seekers) were mostly individuals with no family ties, no family members or spouses.
Quoting from OPM’s press release, their estimate of people affected in the second breach “includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, primarily spouses or co-habitants of applicants.” But if you are one of those applicants, and you have any brothers, sisters, fathers, mothers, spouses, stepbrothers or stepsisters, or children — their name, date and place of birth and Social Security number, along with all of your personal history information, was compromised.
By reasonable estimates, that’s an average of four to five people if you are single, never married, never cohabitated. If you have ever been married, or married more than once, then the number of affected people is more like 12 to 14. With those factors alone, the total number of people whose information is likely to be rolled up in the breaches would be in excess of 50 million. Just doing the math suggests it could be higher: 19.7 millions times four-to-14 yields between 78.8 million and 275.8 million whose information is now in untrusted hands.
This is about more than getting the numbers right. It’s about taking a true measure of what has happened and figuring what must be done.
The public and the victims deserve the truth, and so far it does not seem to be coming from the executive branch. Where is the Congress in getting to the bottom of this? Should a special prosecutor be appointed to investigate the matter and the culpability of people who may have knowingly and willfully misled Congress and the American people? It was surprising that Congress left town and forgot about this crisis for vacation. They should have stayed and dug in for more information. Could it be that in the zeal to limit liability and resulting costs, the executive and legislative branches are unwitting allies?
What identity theft protection will really cost
The costs of responding to the OPM data breaches have yet to be fully or properly estimated. Reputable identity protection costs approximately $100 annually for the low-end coverage and approximately $300 for premium coverage. Just doing the math for those involved in latest breach, the cost to provide protection for the 21.5 million victims for 18 months would be between $3.2 billion on the low end, to $6.5 billion at the midrange of protection, to $9.7 billion for premium protection.
Even if the service were provided at a 50 percent discount, the costs would still be significant — and will certainly be higher given all those who qualify to get 36 months of coverage. And what about the estimate for 10 years of coverage, which experts suggest is more fitting for a breach of this kind. That would bump the cost up to $21.5 billion, assuming $100 per year, per person for 10 years.
And with most informed professionals in the field believing the total number of people affected is at least twice the number OPM has reported, the costs could mount even higher.
To put that in perspective, in its FY 2016 budget justification to Congress, OPM has requested “$21,000,000 to implement and sustain agency network upgrades initiated in FY 2014 and security software maintenance to ensure a stronger, more reliable, and better protected OPM network architecture.” If OPM spent 10 times that amount on IT security annually over a five year period, that would still cost significantly less than what the government will likely have to pay for identity protection policies for all of those whom have been compromised.
What is clear is that the government is trying desperately to keep the figures low to buy off the public and victims with an artificially low number of victims and projected costs to protect. Those affected must be protected in perpetuity, not for 18 months to three years. At a minimum, we should be talking about ten years, but a lifetime is the honest answer.
If my child’s information was in the data stolen, how long will my child be at risk? For some, the proposed protection would run out before their child enters the first grade in school. If a child is currently 20 years old, their risk will last between 50 and 70 years or longer.
At least OPM has now admitted that there are victims who were nonparticipants in the government process of applying for jobs and background investigations. It is just that they seem to believe that most people whose background and job-seeking information was stolen in the breaches are from outer space rather than the product of a society that involves parents, spouses, siblings, children and in-laws.
Why the commercial sector also must act
And there is more to be done. Identity theft protection companies all use security-screening questions — the answers to which are found in the stolen data. Industry must immediately take steps to allow people who think they may have been victims to establish randomly generated series responses as the proof of their identity rather than former house numbers, phone numbers, schools, relative names and so on.
When I recently answered all of the questions and then asked if I could establish my own protected answers, the support person was completely stumped. When I said, “You do know that all of those answers were contained in the stolen data from the OPM hack,” the person was literally speechless until they said, “Oh man, that could be a problem.” (That’s not a literal quote, but politically correct in so many words.)
Industry has remained strangely muted on this whole crisis. Have they even begun to ponder the losses they could face if they do not take very aggressive, affirmative steps to change the online security protocols for those affects by this breach?
In the words of the famous Earl Pitts: “Wake up America!” The recent Chinese stock losses could pale in comparison to the economic impact of people changing or abandoning online purchasing habits for more traditional methods like paper checks, only pre-paid credit cards with no link to bank accounts, ATM-only cards and other such methods that friends have been discussing lately.
Richard A. Russell is a former senior national intelligence service executive who served in progressively responsible national security positions for more than 36 years before retiring in January 2015.