$21mn contract to protect Chinese hacking victims broke gov’t rules, IG memo finds

The Inspector General of the Office of Personnel Management found “significant deficiencies” in the process for hiring contractors to protect millions of federal employees whose personal information was accessed by hackers linked to China last year.

“We determined that the [Office of Personnel Management] did not award the … contract in compliance with the [Federal Acquisition Regulation] and [Office of Personnel Management] policies and procedures, which led to [the agency] selecting the wrong contracting vehicle,” Patrick McFarland, OPM Inspector General, wrote to OPM Director Beth Cobert, according to the Washington Post.

“While we are unable to determine whether the issues we uncovered are significant enough to have impacted the award of the contract…it is evident that significant deficiencies existed… over the contract award process.”

The IG memo is a preview of what’s to come in a full report on the $20.7 million government contract presented to Winvale Group LLC and CSIdentity. Winvale and its subcontractor were chosen to serve former and current federal employees affected by the OPM data breach, a hack believed to have been carried out by Chinese officials or agents. The contract is relevant to the originally reported 4.2 million federal employees who had thier records stolen.

In July, the total number of employees affected was updated to 21.5 million, and a separate contract is in the works to serve that larger figure.

Although the hack began in March 2014, OPM didn’t find out about it until April of 2015. No public announcement was made until June. A week before, however, OPM put out a request for “Privacy Act Incident Services.” One day after the public announcement revealing the breach, OPM had already processed the deal.

Both Winvale and OPM claim they were unaware of the “significant deficiencies” cited in the IG memo at the time of the processing, but OPM took credit for the IG report, too.

“We proactively identified an error with the Winvale contract, raised it with the OIG, and then took action to address this issue at no additional cost to the taxpayer. Once the IG report is published, we will provide a formal response,” Sam Schumach, OPM’s Press Secretary, said in a statement.

In a statement provided to Nextgov, Winvale spokesman Patrick Hillman said, “Winvale responded to a posting on FBO.gov, just like every other contractor that submitted a bid. Beyond that, Winvale had no control over or insight into the bidding process.”

Within days of Winvale beginning operations under the contract, federal employees began to face long phone wait times – up to three hours in some cases – and the website where employees were to sign up for identity protection services was down.

Beyond the problematic contracting system, the IG found that OPM’s entire information technology system wasn’t sufficiently secure and was in need of upgrades. The IG memo said that about half of OPM’s infrastructure was too old and missing security authorization.