Identity Protection for OPM Breach Victims Expires After 10-Year Federal Program
Identity theft protection services for victims of the 2015 Office of Personnel Management breach are beginning to expire 10 years after enrollment, closing a major federal remediation effort tied to one of the most damaging U.S. government cyber intrusions. The breach affected more than 22.1 million people, including federal employees, security-clearance applicants, and family members, across two incidents involving personnel records and background-investigation data; the intrusions were widely assessed as linked to China. OPM first offered three years of coverage, then expanded benefits to 10 years under the Consolidated Appropriations Act of 2017, with contracts worth hundreds of millions of dollars awarded to ID Experts, now IDX.
OPM said it considered extending the program but decided against it because of high costs and low recent claims, while the Government Accountability Office had argued the coverage was excessive and could distort the market. A 2022 class-action settlement set aside $63 million for hardship claims, but only about $4.8 million was paid to just over 5,000 people before the remaining funds were returned to the U.S. Treasury. The expiration has drawn mixed reactions from affected individuals, with some warning that the stolen data could create lifelong risk, while others say a decade of support was sufficient; some recipients also reported follow-up marketing from IDX encouraging them to buy continued coverage on their own.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Identity protection benefits for OPM breach victims begin expiring
Ten years after enrollment, identity theft protection services for people affected by the 2015 OPM breach began to expire in 2026, ending a major long-term federal response to the incident. Some recipients reported surprise at the expiration, while IDX followed up with marketing emails offering paid continued coverage.
OPM declines to extend identity protection beyond 10 years
Before the 10-year coverage period ended, OPM said it considered extending the identity protection program but decided against doing so because of high costs and low recent claims. Critics, including the Government Accountability Office and some lawmakers, had debated the scope and duration of the coverage.
Class action settlement creates $63 million hardship fund
A 2022 class action settlement made $63 million available for hardship claims by people affected by the OPM breach. According to later reporting, only about $4.8 million was ultimately paid to just over 5,000 individuals, with the remainder returned to the U.S. Treasury.
Congress expands OPM breach coverage to 10 years
Under the Consolidated Appropriations Act of 2017, Congress extended identity protection coverage for OPM breach victims from three years to 10 years and increased associated insurance coverage. This significantly expanded the federal government's long-term remediation effort.
OPM begins offering three years of identity protection to victims
Following the breach, OPM provided affected individuals with three years of identity theft protection and related remediation services as part of its initial response. The services were delivered through contracts with ID Experts, later renamed IDX.
OPM breach exposes records of more than 22.1 million people
In 2015, two Office of Personnel Management-related breaches exposed federal personnel records and security-clearance applicant data affecting more than 22.1 million people, including employees, applicants, and family members. The intrusion was widely assessed as linked to China.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
10 years after OPM data breach, identity protection benefits for affected feds start to expire - Government Executive
govexec.com
Open source10 years after OPM data breach, identity protection benefits for affected feds start to expire - Nextgov/FCW
nextgov.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
OPM Breach Exposed Security Clearance Files and Fingerprints of 22.1 Million People
Hackers tied by multiple reports to China penetrated the U.S. Office of Personnel Management and accessed some of the government’s most sensitive personnel systems, including databases linked to federal employee records and the `e-QIP` security-clearance platform. What was first described in 2014 as a detected intrusion later emerged as one of the most damaging breaches of U.S. government networks: authorities said the attackers compromised records on **22.1 million people**, including current and former federal workers, contractors, applicants, and others connected to background investigations. The stolen data included Social Security numbers, health and financial details, background-investigation forms, and **5.6 million fingerprints**, raising fears that the information could be used to build long-term intelligence dossiers on U.S. personnel. The breach triggered resignations, congressional scrutiny, and years of criticism over OPM’s security failures. OPM Director Katherine Archuleta resigned after the scale of the compromise became clear, and CIO Donna Seymour later stepped down amid pressure from lawmakers and investigators. Reports said the intrusion was discovered during a security product demonstration, while watchdogs accused OPM officials of obstructing parts of the investigation and the Government Accountability Office later found that dozens of recommended fixes remained incomplete years after the attack, including weaknesses around passwords, shared administrative accounts, and contractor oversight.
May 25, 2026
Kelly Benefits Reports Data Theft After Unauthorized Network Access
Kelly & Associates Insurance Group, Inc. (**Kelly Benefits**) disclosed that an unauthorized party accessed its environment between **December 12 and December 17, 2024** and copied certain files from its systems. The company said it engaged third-party forensic specialists to investigate, completed its review of the affected files on **March 3, 2025**, and determined that the compromised data included individuals’ names along with additional, unspecified data elements. Kelly Benefits also reported the incident to the **FBI** and said it notified affected data owners and impacted individuals. The breach notices say Kelly Benefits is offering complimentary **IDX** credit monitoring and identity protection services to affected people, with enrollment available until **September 30, 2025**. The company’s notices also direct recipients to consider fraud alerts, credit freezes, and ongoing credit report monitoring, and one state filing indicated that about **14 Rhode Island residents** were affected.
May 25, 2026
U.S. Data Compromises Reach Record Levels as Mega-Breach Counts Fluctuate
The **Identity Theft Resource Center (ITRC)** reported that U.S. data compromises (breaches, leaks, and accidental exposures) reached a new record in 2025, rising **4%** year-over-year to **3,332** incidents—an increase of **79%** over five years and the third consecutive year exceeding 3,000 events. Despite the higher incident count, the number of affected individuals fell sharply to **278.8 million** (down from **1.36 billion** in 2024), which was attributed to the relative absence of **“mega breaches”** that have driven outsized victim totals in prior years. Consumer impact indicators remained negative: an ITRC poll cited widespread breach-notice exposure (most respondents receiving at least one notice) and reported downstream harms including **account takeover** and increased **phishing/spam**, alongside “breach fatigue” reducing follow-on protective actions. Separately, *Hackmageddon* continued its annual tracking of **mega breaches** (defined as incidents involving **>1 million records**) for 2026, reinforcing that large-scale events are monitored as a distinct category that can disproportionately influence annual victim counts even when overall incident volume trends upward.
Mar 21, 2026