SAN FRANCISCO – The fraud detection company hired by the U.S. government to help millions of people affected by the breach of Office of Personal Management (OPM) databases is "overwhelmed and incapable of dealing with the deluge in requests" from people who now believe their credit card information is being used by hackers, according to several federal employees who have contacted the office in recent weeks.
"I wrote and then called them eight days ago and I have gotten nada, no response from them," said Joshua Felkins, a former government employee who said that his stolen credit card information was used on July 2 to buy an expensive entertainment system from Walmart as well as a late-night snack at a Taco Bell. "This is a nightmare for millions for us. A real nightmare."
Felkins, like others who spoke to BuzzFeed News, admitted that there was no way to tell who had stolen his credit card information, or whether it was at all related to the OPM hack. Federal employees had previously described themselves as being in a state of "collective panic" over the news that that their information had been stolen and lack of information being provided by the government.
"To me it doesn't matter if my credit card got stolen by the guys who got into the OPM computers or by the Taco Bell drive-through near my house… there is a company that has been hired to protected us and no one feels protected," said Felkins.
The federal government granted credit-monitoring firm CSID a $20 million contract to provide protection services to current and former federal employees in the wake of the hack on the OPM. Officials have concluded that the hackers — suspected to be based in China — accessed files that included Social Security numbers and health and criminal information on government employees and their families. As the number of affected people has swelled to over 21.5 million, or roughly 1 out of every 15 Americans, the office has found itself inundated with requests to examine suspicious fraud activity on the credit cards of current and former government employees.
"My wife's card got stolen last year and then last week we find out someone has been using my card in Nigeria," said one current government employee, who asked to only use his first name, Spencer, as he is still employed at the Department of Justice and is not authorized to speak to the press. "It just feels like everyone is stealing credit cards these days. I don't trust the government or anyone else to keep track — they can't even keep track of our personal data."
Spencer said he spent nearly two hours on hold with the CSID when he called to inform them about the suspicious activity on his card.
"They sounded apologetic, but they were clearly overwhelmed and incapable of dealing with the deluge in requests they were getting," said Spencer. "They said someone would call me back, but then added that if they didn't — I should call them back!"
Another government employee at the Department of Labor, who likewise asked to speak to BuzzFeed News off record, said she had looked into private fraud protection insurance, but was worried about the high premiums.
"I'm going to look into that but I won't be surprised if because I'm a part of the [government] breach that it will somehow exclude me or make the premiums cost prohibitive," she wrote BuzzFeed News in an email.
She discovered on Thursday of last week that a $4,400 first-class airline ticket from Dallas, Texas, to Lagos, Nigeria, had been purchased using her credit card.
"I called CSID to report it since it's supposed to be exactly for situations like this. Their 'monitoring' didn't even catch it and never produced a fraud alert," she said, adding that an agent who was meant to assist her within 72 hours has yet to return her calls, nearly a week later. "It just really makes me angry that they are acting like nothing is happening. Just own up to it! You screwed up, our data got breached and now people are getting their [money] and possibly identities stolen."
Several lawmakers, including Sen. Mark Warner, have questioned whether the CSID is capable of offering services to the tens of millions of affected.
"Information has come to light that raises questions about OPM's awarding of this $20 million contract to CSID, and whether CSID has the expertise and capacity to provide the services for which it was contracted," Warner said in a letter to the OPM last week. Warner, who represents Virginia, said many former and current government employees are his constituents, and that he's heard complaints from them over the customer service provided by CSID. "My constituents have reported that the website crashes frequently, and that the company's dedicated hotline regarding the OPM breach has incredibly long wait times. Wait times of over an hour are not uncommon."
Former OPM Director Katherine Archuleta, who announced she was resigning last week following a punishing inquiry into her management of the office, said there's been no evidence to date that any of the stolen information has been misused.
Earlier this month, both chambers of congress introduced a bill that would give lifetime identity theft protection to those affected by the breach, and insure them for losses up to $5 million, extending the 18-month protection and $1 million currently being offered by the OPM.
CSID says it was hired to cover 4.2 million people affected by the OPM breach. An earlier version of this post misstated that CSID had been hired to cover 21.5 million people. OPM has not returned repeated requests for comment on how many people they are currently providing with fraud protection services.
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Got a confidential tip? Submit it here.