Current and former federal employees affected by the massive 2015 Office of Personnel Management data breach may be losing their identity protection services in the coming year.
IDX, the company providing these services since 2015, sent out emails earlier this month telling recipients of their identity protection services that they would have to renew on their own dime after receiving services for 10 years paid for by the government.
IDX, which has held the identity protection and credit monitoring contract since 2015, sent at least three emails out over the last few weeks offering customers a discount to renew their subscriptions.
IDX CEO Ian Kelly said that subscribers who have been receiving services for 10 years will need to renew their services and pay for it because OPM will no longer pay for the protection services.
“The MyIDCare membership was a result of the OPM cybersecurity incidents from 2015. Protection was provided in accordance with the Consolidated Appropriations Act for a period of 10 years. OPM has honored the 10-year obligation, and individuals that enrolled will have their coverage expire on the 10-year anniversary of their enrollment date,” Kelly said in an email to Federal News Network.
Additionally, Kelly said individuals that enrolled on later dates than 2015 and even through fiscal 2026 will have their memberships expire on the 10-year anniversary of their enrollment.
In September, OPM transferred their contract with IDX to the General Services Administration as part of the consolidation and centralization initiative. OPM is one of the three pilot agencies.
The current IDX contract continues through Sept. 30, 2026. OPM awarded a follow on contract to IDX in 2019 under the GSA’s Identity Protection Services (IPS) Multiple-Award Blanket Purchase Agreement (BPA).
After the legislative requirement to offer these services through the end of fiscal 2026, an OPM official told Federal News Network that the contract will expire, so current and former federal employees affected by OPM’s data breach will need to consider their options for identity protection and credit monitoring services this time next year.
Protection contract worthwhile?
As far as the contract itself, the OPM official told Federal News Network it has been a “waste of money.”
“The contract cost taxpayers $1 billion, with the most recent annual cost at $58 million. However, the insurance component only paid out $162,000 in claims since 2015. No claims have even been filed since 2022,” the official said.
As part of moving the contract to GSA, OPM also negotiated a lower annual cost with IDX, reducing it to about $17 million a year from about $58 million a year.
IDX’s Kelly disputed the contract has been a waste of money. He said the reason for the lower cost for the final year is because fewer subscribers will receive services, so it will cost less to the government.
Kelly said by maintaining their coverage, current and former federal employees will not have a lapse in the $5 million identity theft insurance policy and access to fraud resolution specialists should a problem occur.
“IDX has a 100% success rate in restoring victims of ID theft to their pre-theft status, so while it is impossible to keep your information from being breached, you can protect yourself from the many issues that come from identity theft,” he said.
Several lawmakers have tried to make identity protection and credit monitoring coverage permanent and paid for by the government. Sen. Mark Warner (D-Va.) called on OPM in May to keep the identity protection contract in place. Rep. Eleanor Holmes Norton (D-D.C.) introduced a bill in February 2024 to provide free lifetime identity protection coverage to those affected by the breach.
Holmes Norton’s bill never moved out of committee.
In January, the federal government settled a class action lawsuit over the 2015 breach, paying out a small fraction of the settlement funds it had set aside for victims. A federal court in October 2022 finalized a $63 million settlement for those impacted by the breach. But a December 2024 court filing shows the federal government paid about $4.7 million to more than 5,000 individuals who could demonstrate harm from the data breach.
A much different kind of breach
Whether or not current or former federal executives signed up for the identity protection and credit monitoring services over the last decade, experts say this data breach remains one of the most consequential in the last 30 years.
James Lee, the president of the Identity Theft Resource Center, a non-profit that helps victims of data breaches and identity theft, said the OPM breach is much different than the typical ones many people have experienced over the past 20 years.
“This was the first of a series where nation states were trying to get information about individuals of interest to them for intelligence and espionage purposes, because this was not only information about the employees of the federal government who had security clearances, it was also their family members, and it was other individuals who had some relationship with them,” Lee said in an interview with Federal News Network. “The information contained in those in the database that was accessed was very specific and very detailed information. You don’t see that generally in data breaches. We have never seen this information in an identity marketplace. So a typical data breach, that information gets put to use immediately in some place, where it’s either sold or shared for the purposes of generating revenue at some point and multiple times. This information was not used that way.”
Instead, Lee said China or other nation states can use this data, combined with other information from breaches, to put together a fuller picture of a federal executive or their family members, what they look like, where they travel to and how they spend their money.
All of this could be used for espionage, blackmail or other reasons by nation states. Lee said a lot of the data stolen was static, which makes this data more valuable.
“What we were talking about with OPM is that still represents an ongoing risk to those individuals, and it also represents an ongoing risk to everybody else. Today, data breaches are the fuel for most identity crimes, and one of the most prevalent crimes today is a crime of impersonation. So it’s not just the risk to the individual whose information has been breached. It’s to other people who might be led to believe that they are in contact with the real James Lee, when in fact, it’s just somebody who’s gathered enough information about me to pretend to be me,” Lee said. “In this case, you’re talking about government officials, you’re talking about people who have security clearances, so to impersonate that individual represents a risk, not only to them, but to anybody they’re dealing with, who, if somebody in a nation state is trying to impersonate them, that carries real risk with it. That, again, makes a little bit worthy of treating this information differently than what we would with a run of the mill data breach.”
OPM upped its cyber protections
Lee added that current and former federal employees should make the value of the data — even a decade after the breach — part of their consideration when deciding on future identity protection services. At the same time, Lee said protecting yourself has gotten easier and less costly. He said it’s easier to freeze one’s credit and it’s easier to get one’s credit score. In fact, Lee said freezing one’s credit from a financial perspective is the single most important thing a person could do to protect themselves.
Since the breach, OPM has spent millions of dollars to improve its cybersecurity, and over the last few years moved a lot of data and systems to the cloud.
The OPM official said the agency has robust privacy oversight, risk management and cybersecurity programs. OPM constantly monitors threats to personal identifiable information, and “is totally committed to and capable of protecting PII.”
Among the steps OPM has taken is it completed a significant overhaul of existing policies, culminating in its current cybersecurity and privacy policy, according to its 2026 budget justification.
It says having a unified policy governing both cybersecurity- and privacy-related activities helps to articulate the degree and areas of coordination between cybersecurity and privacy necessary to support OPM’s mission.
Lee said criminals and nation states are already taking advantage of artificial intelligence.
“The kinds of identity attacks that are going to be easy to make are going to become much more readily available to identity criminals, and they’re going to be able to accomplish a lot more. They will be better at targeting individuals as well. That’s why, in this particular situation, it is so very important to use this as a case study,” he said. “What the bad guys are going to do going forward is they’re going to be more targeted because they have the ability to analyze data in a way that … they can target us based on our zip code because they know where we live. They can target us based on our demographics, our age, our sex, where we were born and all these kinds of things that make up who we are. They can profile us and say, that looks like a good target, and then go after someone or groups of individuals. That’s not something they’ve been able to do at scale, and now they are because of AI. We’re going to see more targeted attacks, and what that means is we’re going to see the impact of that grow exponentially.”
The post OPM bringing protections for data breach victims to an end first appeared on Federal News Network.