Nearly 26 million people who had their information leaked during two Office of Personnel Management (OPM) data breaches in 2014 and 2015 may be entitled to up to $10,000 after a class action lawsuit against the agency was settled for $63 million.
The breaches – revealed in the summer of 2015 – affected federal government employees, contractors and others who worked with the agency that went through background checks. The breaches gave hackers access to the 127-page Standard Form 86 (SF 86), questionnaires for national security positions that included the names, social security numbers and more sensitive information from victims and their families.
A bevy of lawsuits were filed against the agency as well as Peraton Risk Decision, the contractor OPM used for background checks.
The cases were consolidated into one case and the $63 million settlement was reached last month. The United States District Court for the District of Columbia appointed Epiq Class Action & Claims Solutions to manage the procedures around notifying victims and distributing cash payments to victims.
Last week, the court asked Epiq to begin issuing notices of the settlement, and a website created by the firm says most people will receive about $700.
To qualify for the settlement, victims must show that their personal information was compromised in the breach and that they were forced to spend money or time related to the breach.
This includes the time or money associated with freezing or unfreezing a credit report, purchasing a “credit monitoring product, credit or identity theft protection product,” or evidence that they personally dealt with an attempted identity theft.
“Eligible claimants under the Settlement will receive $700 or the actual amount of the claim—whichever is greater—up to a maximum of $10,000, unless the total value of all valid claims, plus any incentive awards to named plaintiffs, exceeds the amount of money in the fund,” the law firms said.
“OPM (as authorized by Congress) has made free credit monitoring and identity theft protection services available to all individuals whose personal information was compromised in the data breaches.”
The notice adds that the settlement allows both OPM and Peraton Risk Decision to continue denying that they did anything wrong in relation to the data breach. In 2015, Obama administration officials attributed the breach to hackers connected to the Chinese government. The Chinese government has denied any involvement in the incident, but the use of PlugX and other clues have prompted U.S. officials to repeatedly attribute the attack to Chinese government hackers.
In 2017, Yu Pingan was arrested by the FBI at Los Angeles International Airport for his role in creating the “Sakula” malware that was used in the attack.
Lawyers did not accuse him of being personally involved in the OPM hack and after spending 18 months in jail, he pleaded guilty to conspiracy to commit computer hacking. He was sentenced to time served before returning to China.
The breach is now considered one of the largest and most important incidents to affect the U.S. government. Both OPM director Katherine Archuleta and department CIO Donna Seymour resigned in the aftermath of the incident.
The agency heads were criticized in a Congressional report for not heeding warnings from several other departments that OPM was not doing enough to protect sensitive information.