ms. barron-dicamillo, but first i want to ask ms.archuleta members had been concerned about the 4.2 million number that you try to string data for the record that is not a phone number. it almost surely will go up it is that the case? >> there are two incidents. in the first incident, that number is 4.2 million. and the second incident we have not reached a number. >> the number is going to go up. i understand and i am receiving calls from federal employees about opm's promise of 18 months i believe it is free credit monitoring. is it true that federal employees must pay for this service after that time? >> the services that we are offering is identity theft protection up to $1 million that we are also offering credit monitoring for 18 months which is a standard industry practice. as we look at that second notification we are looking at our whole range of options. >> transport visit -- ms. archuleta, there's a great deal of concerned not so much about the paper the amount of time. but the 18 months may be too short a period of time g

ms. barron dicamillo. >> our team was on site. an uner agency response team including law enforcement partners. we worked part of the incident response team. we're working with the system administrators daily. informing them every day of -- >> how many days did you inform them on a daily basis? >> we were there about two weeks. >> that's at least ten report ooze. >> we worked through the weekend. >> that's 14 reports they were given asserting what -- >> the daily findings. and they can change. >> did you find something and give them ideas of what needed to be done? >> why we were able to discover there was malicious malware on the network and compromised credentials, specifically -- >> how did those compromised credentials -- what were the two areas you found within their own system that should have been taken care of previously? >> we found a lack of some security mechanisms that would have helped prevent this. we weren't able to find the initial point of entry. >> can you talk about the lack of logging. >> there's logs that can

ms. barron dicamillo. >> our team was on site.er agency response team including law enforcement partners. we worked part of the incident response team. we're working with the system administrators daily. informing them every day of -- >> how many days did you inform them on a daily basis? >> we were there about two weeks. >> that's at least ten report ooze. >> we worked through the weekend. >> that's 14 reports they were given asserting what -- >> the daily findings. and they can change. >> did you find something and give them ideas of what needed to be done? >> why we were able to discover there was malicious malware on the network and compromised credentials, specifically -- >> how did those compromised credentials -- what were the two areas you found within their own system that should have been taken care of previously? >> we found a lack of some security mechanisms that would have helped prevent this. we weren't able to find the initial point of entry. >> can you talk about the lack of logging. >> there's logs that can help u

ms. barron dicamillo. >> our team was on site.n uner agency response team including law enforcement partners. we worked part of the incident response team. we're working with the system administrators daily. informing them every day of -- >> how many days did you inform them on a daily basis? >> we were there about two weeks. >> that's at least ten report ooze. >> we worked through the weekend. >> that's 14 reports they were given asserting what -- >> the daily findings. and they can change. >> did you find something and give them ideas of what needed to be done? >> why we were able to discover there was malicious malware on the network and compromised credentials, specifically -- >> how did those compromised credentials -- what were the two areas you found within their own system that should have been taken care of previously? >> we found a lack of some security mechanisms that would have helped prevent this. we weren't able to find the initial point of entry. >> can you talk about the lack of logging. >> there's logs that can he