The U.S. government has not yet notified any of the 21.5 million federal employees and contractors whose security clearance data was hacked more than three months ago, officials acknowledged on Tuesday.
The agency whose data was hacked, the Office of Personnel Management (OPM), said the Defense Department will begin “later this month” to notify employees and contractors across the government that their personal information was accessed by hackers.
OPM said notifications would continue over several weeks and “will be sent directly to impacted individuals.”
OPM also announced that it hired a contractor to help protect the identities and credit ratings of employees whose data was hacked.
In a statement, OPM said it had awarded a contract initially worth more than $133 million to a company called Identity Theft Guard Solutions LLC, doing business as ID experts, for identity theft protections for the 21.5 million victims of the security data breach. The contractor will provide credit and identity monitoring services for three years, as well as identity theft insurance, to affected individuals and dependent children aged under 18, the agency said.
Officials have said that compromised records could include embarrassing personal details, such as arrest records or information about drug use, generated by field investigators assigned to check out disclosures made in clearance applicants.
U.S. investigators have said they believe the hackers were based in China and probably were connected to the Chinese government. So far U.S. security officials have found no evidence that the Chinese or anyone else had tried to use the hacked data for nefarious purposes, officials said.
An interagency group is considering whether responsibility for security clearance investigations should be shifted from OPM to another government agency. The White House confirmed such a study is under way.