The Office of Personnel Management and the Department of Defensehas awarded a $133,263,550 contract to the Portland, Ore.-basedIdentity Theft Guard Solutions to assist with notifying the 21.5million victims of the June breaches.

The DoD will take the lead in directly notifying the current andformer federal employees whose data was compromised – includingseveral who work for the NCUA – over several weeks beginning inlate September.

Identity Theft Guard Solutions, which also goes by the name IDExperts, will provide resources and services to the cybercrimevictims for three years at no cost. The resources will includecredit and identity theft monitoring, identity theft insurance andidentity restoration. Insurance coverage for the affectedindividuals began on Sept. 1.

Brokering a breach response contract “is something that hastaken some time, because we want to do it right,” OPM ActingDirector Beth Cobert told the media. “And we also want to make surethat in the context of the notifications, we don't create any morenational security issues than we have through the data that wasstolen.”

Cobert added, “As somebody whose data was stolen in thisincident as well as in the previous one, I can understand thefrustration that people feel. But we want to make sure that we'redoing this right.”

In April 2015, the OPM discovered that personal data had beenstolen from 4.2 million current and former Federal governmentemployees. The victims of this breach have been notified. InJune 2015, while investigating the previous incident, OPM discovered an additional compromise of backgroundinvestigation records belonging to 21.5 million current, formerand prospective Federal employees and contractors.

After the first breach, which was announced in June, the OPMreportedly spent more than $20 million for identity protection firmCSID to notify affected individuals and provide them with identityprotection services. Government personnel, however, complained ofwebsite crashes and multi-hour call center waiting times when theycalled to get basic information.

Some victims also complained that the notifications looked likemalicious emails, came from a dot.com email address and contained alink to a commercial website. This time, email notifications willcome from either a dot.mil or dot.gov address.

“As with any breach, time is of the essence and this is nodifferent,” Ondrej Krehel, founder/principal of the New YorkCity-based cybersecurity intelligence firm LIFARS, explained. “Theproblem though, is that it could potentially be quite a whilebefore everything is shored up, and if it even makes the deadline.By the time they find out, they'll already be months behind andthen they still have investigation and remediation to handle.”

Another expert said the new notification plan could make thesituation worse for some victims.

“First of all, the nature of the data stolen requires a lifetimeof protection, not just three years,” Stu Sjouwerman, founder/CEOof the Clearwater, Fla.-based Knowbe4, said. “Second, you can counton the bad guys cross-referencing the OPM hack and the AshleyMadison data and start spear-phishing and/or blackmailing the databreach victims. Instead of spending 130 million in creditmonitoring, that money would have been spent much better to preventthe hack to start with!”