Last year, hackers believed to have Chinese government connections managed to breach the database of the federal Office of Personnel Management (the agency that oversees security clearances for government employees and contractors), and stole sensitive and often blackmail-worthy information about 21.5 million people, mainly security clearance holders but also friends or family members thereof.
The stolen information included Social Security numbers and what the OPM called “findings from interviews” — in other words, all the sensitive and potentially embarrassing personal information uncovered in the course of an intensive national-security background check.
Last week, the Defense Department announced that it had awarded a $133 million contract to a company called ID Experts, to provide credit-monitoring services to the 21.5 million victims of the OPM hack. At first glance that looks like a bargain, at least by federal-budget standards: $133 million divided by 21.5 million clients comes out to just under $6.19 per OPM hacking victim.
Granted, the Washington Post did report that, according to officials, the $133 million award is only the first piece of a larger government-wide contract expected to cost a total of $500 million over the next five years. Even so, 500 divided by 21.5 still averages out to only $23.26 per person, arguably a good price for five years' worth of identity theft protection and credit monitoring.
Price vs. value
Specifically, that's a good price if those 21.5 million hacking victims actually get value for their (or the government's) money. But will they? Beth Cobert, the government's acting personnel in chief, seems to think so. “We want to do it right,” she said while announcing the contract. “We’ve tried to make sure we put in place a very high-quality contract that doesn’t create any more national security issues than we already had through the data that was stolen.”
But many critics, including security expert Brian Krebs, doubt the contract will be of much help to those those 21.5 million hacking victims: “No matter how you slice it, $133 million is a staggering figure for a service that in all likelihood will do little to prevent identity thieves from hijacking the names, good credit and good faith of breach victims.” Rather than pay hundreds of millions for ID-theft services offering dubious benefit, “perhaps the agency should be offering the option to pay for the cost that victims may incur in 'freezing' their credit files, a much more effective way of preventing identity theft.”
The problem is that identity-theft protection services don't actually offer “protection” from identity theft. As Krebs noted (italics lifted from the original), “The most you can hope for from these services is that they will notify you after crooks have opened a new line of credit in your name.” Though that's not to say such services have no use at all: “Where these services do excel is in helping with the time-consuming and expensive process of cleaning up your credit report with the major credit reporting agencies.”
If you want to actually protect yourself from identity theft happening in the first place, your only reliable option is to get a credit freeze, also known as a credit report freeze. A credit freeze basically puts your credit rating on lockdown: no credit-monitoring agencies will release any information about you without your specific individual consent. Without these credit reports, no lending institution will risk opening a new account in your name – which in turn means any would-be identity thief who tries opening credit cards or getting other loans in your name won't be able to.
At the same time, if you (the real you) want to get any sort of loan, you'll have to lift the credit freeze first.
This all sounds pretty easy. So why doesn't everybody – at least, everybody who's not currently applying for a mortgage, credit card or other type of debt – get a credit freeze?
For starters, because it's not simply a matter of getting “a” credit-report freeze. If you, a modern American, want to completely freeze your financial identity, you actually need to arrange for several credit-report freezes, one with each of the major credit-reporting bureaus. And this can get expensive. Rates vary based on which state you live in, but credit freezes can cost up to $15 per person, per credit bureau. Furthermore, based again on where you live, temporarily lifting a freeze in order to apply for a legitimate loan might cost you additional per-bureau fees.
Currently, however, the government intends to spend at least $500 million offering credit-monitoring services to help possible identity-theft victims related to the OPM hacking, and $0.00 for credit freezes to prevent identity theft in the first place.
The Defense Department will start notifying these 21.5 million people about their free credit-monitoring options later this month.