After federal data breach, red tape snarls victim's search for answers

In order to work on a U.S. Department of Energy contract, Joe Stoebner had to obtain top-secret, Q-level security clearance. If he or anyone in his Eden Prairie company let slip any classified information, Stoebner said he could face 10 years in prison and a $100,000 fine.

Yet for the past five months, the federal government has been unable to say whether it has lost control of the volumes of private information Stoebner gave it to obtain his security clearance.

As many as 21.5 million victims of the massive Office of Personnel Management data breach have received letters alerting them that hackers may have filched their Social Security numbers, fingerprints and other sensitive data. Stoebner's wife got one of the letters. So did his son, who also works for his company.

Stoebner tried repeatedly to find out whether he, too, is a victim.

"I'm extremely frustrated, and I'm extremely worried," he said in an interview last week. "My worry is I will never find out, and I will have no protection."

Stoebner, 71, is chairman of AVI Systems, a 500-employee, $75 million company that installs and maintains videoconferencing systems, digital signage and other technology for meeting rooms and offices.

When a Department of Energy contract came along in 2010, Stoebner went through the ordeal of obtaining top-secret clearance.

He provided information about family, friends, neighbors, former employers. Many were interviewed by investigators hired by the government.

He answered questions about his emotional health, submitted to a drug test, provided fingerprints. The data added up to a 45-page stack that someone could use to do a convincing impersonation of him for nefarious purposes.

In April 2015, OPM learned that hackers, probably in China, had stolen information on 4.2 million current and former federal employees. A second, larger breach, involving people subject to federal background investigations, was discovered in June.

The agency responded by offering three years of credit monitoring and identity theft protection to anyone whose information was in a compromised database. Late last year, OPM announced that it had notified 93 percent of those affected.

What Stoebner calls his "information merry-go-round" began Jan. 15. That day, he called OPM. He was referred to ID Experts, the contractor hired by the government to perform identity-theft monitoring for victims of the breach. ID Experts took his personal info, entered it into a database and told him to wait two to four weeks.

He heard nothing. So he went online on March 8, and entered the same personal info on the OPM's verification page. Again he was told to wait two to four weeks. The next day he called OPM again. Once again he was referred to ID Experts.

He talked to Stacey, who told him to wait two to four weeks. He asked for her supervisor and was transferred to Rick. Rick told him to wait until April 5.

Stoebner waited an extra month before calling ID Experts on May 5. This time, he got Lizzie, but asked for Rick. Rick wasn't available, but her supervisor Scott was. Scott said Stoebner would have to wait.

Two to four weeks.

Meanwhile, someone made seven fraudulent credit card charges on Stoebner's American Express card, making him even more concerned.

Sam Schumach, press secretary for OPM in Washington, said it's up to his agency, not ID Experts, to verify if someone is affected by the breach. Stoebner "might actually have gotten some misinformation" when he was told to contact ID Experts, Schumach said.

So Schumach invited him to contact him directly, which he did on Thursday.

On Friday, Stoebner had his answer: Indeed, his personal information was exposed during the intrusion.

"It turns out that in order to de-duplicate letters that go out (and save taxpayer dollars), requests for a letter are canceled when a new request comes in, thus restarting the whole verification center process again," Schumach wrote to him. "That may be what was going on."

So now Stoebner qualifies for federal help. "No way will I sign up for government-sponsored monitoring," he said Friday. "I use LifeLock."

Contact James Eli Shiffer at james.shiffer@startribune.com or 612-673-4116.