The holiday shopping season is in full swing. Americans will put miles on their credit cards and wear holes in their wallets with expected spending.

Financial experts are warning us to watch out for scammers at the cash register or on fake websites. However, your biggest vulnerability may stem the federal government’s lax protection of your private data. Their efforts have done little to quell serious concerns of fraud.

As we know, the Office of Personnel Management was hacked twice over the past year. A personnel file breach exposed the personal and career info of 4 million current or former federal employees. A security clearance breach caught the information of over 21 million who people who applied for security clearances, or had them renewed, which includes most of the federal employees from the personnel breach as well as current or former military or contractor personnel. Another 1.8 million victims were identified in another person’s application.

After months of hiding the massive data breach, the government finally came clean and began the process of contacting all of those individuals to alert them that they are at risk of fraud and offering them credit free monitoring services. Those letters started shipping out of Washington, DC in October and the last batch of notices are set to roll out this week. So far, only 1.5 million people –less  than 10 percent of total victims – have signed up for identity and credit monitoring services.

Given that all of their personal, professional, and even financial information collected by the government was hacked, it’s not surprising that victims aren’t running to turn over more info again.

The Washington Post reports:

Some who have received notices have expressed reluctance or refusal to turn over the personal information required to sign up. In addition to the personal identification numbers, or PINs, included in the notices, they are asked to provide their Social Security numbers, birth dates and other personal information.

One recipient said that after starting the sign-up process online, “I stopped there. Why should I give that information? Isn’t that the purpose of the identifying PIN number?” she said in an email asking to remain anonymous to protect her privacy. “I’m not convinced this is not yet another scam.”

Schumach said the contractors need that information to start the credit and identity monitoring services, since OPM did not give them full Social Security numbers, only the last four digits plus the PIN.

In addition, the OPM set up a website and hotline for people who believe they may be victims but have yet to receive a letter. However, OPM is saying to those people: “hold your horses!” Potential victims must wait until all of the letters go out because OPM doesn’t want to get overwhelmed. But, isn’t the point of setting up the website so that people can get answers rather than wait potentially indefinitely?

When you suspect that you are a victim of fraud you don’t wait for scammers to rob you dry, you are proactive. Too bad the government doesn’t feel the same urgency or hold protecting Americans as a paramount priority.

This is drawing rightly-deserved ire:  

The pace of the government’s response has drawn complaints from some consumer advocates. “It’s incredible how long this is taking OPM,” said Ed Mierzwinski, the federal consumer program director at U.S. PIRG, the federation of state public interest research groups.

The government says it's almost done mailing out notifications to people whose information was stolen, but it's hard to verify how many people have received them because some may have gotten lost in the mail or been sent to old addresses.

But even if a person has not received a letter by the middle of this month, that doesn’t necessarily mean his or her data was safe. Instead, it may show that the government couldn’t find a valid address for the person, according to the blog post.

Some question why the government took so long to get these sort of checks set up for the background investigation breach. "Why couldn't they put a website like that up six months ago?" asked Mierzwinski.

                                                                       

The government maintains records on individuals dating back decades and so is tapping government databases such as payroll files and USPS change of address forms to track down those they can’t find. When the government wants to track you down, it has access to a sweeping network of databases from other federal agencies. That is part of the problem.

We voluntarily and involuntarily turn over significant information about our lives to a federal bureaucracy. Data breaches often occur because of slothful responses remind us of just how unsafe our information is though and how inept at protecting that information these agencies are. That there haven’t been massive data breaches in the past may be less a testament to their stewardship, but to chance.

In the meantime, while OPM sorts itself out, victims are left to fend for themselves. A website and hotline are band aid solutions. I hope someone is working on fixing the underlying issue of data insecurity.