The Office of Personnel Management has already told key lawmakers that it may need tens of millions of dollars in new funding after two massive hacks compromised the data of millions of current, former and prospective federal workers, but OPM's funding needs seem likely to grow even more as the agency copes with what some say is the biggest theft of government data in history.
After embattled OPM Director Katherine Archuleta was asked last week what kind of funds she needs to cope with the data breach, OPM told Congress that another $37 million would help expedite its ongoing IT upgrade project. But that request was made at the staff level and did not represent an official request for additional funding, an OPM spokesman and congressional aides stressed.
Still, that number could just be the tip of the iceberg in terms of the money OPM will be needing. OPM is expected to announce in the coming days how many more people were affected by the breach, beyond the 4.2 million current and former workers it has already announced.
Some have suggested as many as 18 million people or more will end up being victims of personal data theft, and that could add to OPM's costs.
RELATED: Feds expected to reveal more data on who was hacked this week
For example, OPM has already spent about $20 million notifying a few million people that their sensitive information was stolen, and given them access to 18 months of free credit monitoring. If the number of affected people explodes, that cost could rise.
Archuleta told Senate appropriators last month that she didn't know yet whether OPM would need more funding to cover those kinds of costs.
Another issue is whether OPM will soon reveal that federal contractors had their data stolen. Stan Soloway, head of the Professional Services Council, a trade group representing government contractors, said contractors were not part of the original 4.2 million people notified that their information was imperiled. He said when the number is revised upwards, contractors will surely be ensnared.
"People are wondering" when the next shoe will drop and who will pay for credit monitoring and other services, he said. "It could get expensive," Soloway said, noting that contracting firms will surely look to OPM to pay the freight.
RELATED: Government's 'free' ID theft protection could cost $20 million
"[M]any questions have arisen as to what support and/or benefits … will be provided" to the new tranches of affected individuals, Soloway wrote to Archuleta last week. "I would thus further request that you promptly provide clarification as to what services will be offered, if any, to these individuals by the government."
On June 29, OPM posted an ad seeking four senior IT project managers to help oversee the migration project. Each position pays between $121,956 to $168,700 and would report to Chief Information Officer Donna Seymour, who is also under fire on Capitol Hill.
The project manager "will serve as one of the key experts within CIO to provide leadership of critical IT initiatives in support of the dynamic migration of existing software applications to OPM's new infrastructure environment … and deployment of the enterprise case management system…across OPM, reads the ad on the federal government's official job website that closes July 22.
It is unclear if those positions would be covered by the agency's current budget request for fiscal year 2016, which starts Oct. 1, or if Archuleta and Seymour hope to pay for it with the possible additional $37 million request.
The likelihood of new costs for OPM comes after OPM has already been spending money on IT modernization, although not with the impact that Congress had hoped. OPM said in June that from 2014 to 2015, OPM's modernization budget jumped from $31 million to $87 million, and the Obama administration was already asking for $21 million more before the hack was publicly announced.