Nearly three months after the US Office of Personnel Management (OPM) discovered its databases had been compromised by Chinese hackers, the government still hasn't notified the employees and contractors affected by the breach.
On Tuesday, the OPM said it planned to start the process of informing victims "later this month," and that reaching everyone is expected to take several weeks.
The Department of Defense will send notifications directly to affected people by postal mail, the agency said.
"Millions of individuals, through no fault of their own, had their personal information stolen and we're committed to standing by them, supporting them, and protecting them against further victimization," OPM acting director Beth Cobert said in a statement, adding, "And as someone whose own information was stolen, I completely understand the concern and frustration people are feeling."
The OPM first noticed the hacking incidents in June, although it was later determined that the attackers had probably been slurping data from the agency's systems for more than a year.
At first it was thought that around 4 million individuals' records had been snaffled. But after a second leak was discovered, the total figure eventually ballooned to 21.5 million. Nearly all of them are still waiting to be notified as to whether they were affected.
Among the data that is thought to have leaked are records of Standard Form 86, an exhaustive questionnaire designed for people who are requesting security clearances. It covers just about every personal and financial detail about each applicant, including employment, criminal, and health records.
Naturally, many of the people whose information is now in the hands of the hackers – who are believed to have ties to the Chinese government – are currently employed in sensitive positions at various levels of the US government and military, making this particular data breach especially egregious.
Also on Tuesday, the OPM said it has secured a contract with a company to provide identity theft protection and monitoring services for everyone affected by the breach. Identity Theft Guard Solutions, doing business as ID Experts, will provide these services for free to victims and their dependent children under the age of 18 for a period of three years.
The total cost of the contract to the government will be $133,263,550 (£87,075,070), OPM said. By comparison, it earlier asked Congress for $21m to secure the systems that allowed the leak.
Anyone who's worried that they may be one of the ones whose information has been snatched can find more information and sign up for email alerts here. ®
Sponsored: Ransomware has gone nuclear