None of the 21.5 million Americans whose personal details were compromised in a hack of government databanks have been informed yet, say officials.
The government discovered the breach two months ago, but one official at the Office of Personnel Management (OPM), which oversaw the data, said the complicated nature of the data and the fact government employees and contractors often move between agencies meant it would be weeks before a mechanism was in place.
The government is trying to establish a centralized system rather than leave the notification to separate agencies, according to the official who declined to be identified.
Officials from multiple agencies, who are familiar with the investigation into the breach, said the OPM is working with other agencies to set up a system to inform the victims. The OPM official said the organisation is expected to hire an outside contractor, but has not yet sought bids for the work.
This is the second breach of OPM’s systems this year after hackers – who government officials suspect originate in China – stole the job application details of 4.2 million people, though they have all been notified and invited to enrol in an identity protection program.
Coming under heavy fire in Congress over the security breach for both incidents, the OPM’s head Katherine Archuleta resigned last Friday.
The much larger breach discovered in May, made public last week, involved much more sensitive personal information than the previous one, which OPM gathered for security clearance investigations of current, former and prospective federal employees and contractors.
This included 19.7 million contractors and employees who applied for security clearances and 1.8 million "non-applicants" whose personal data was included in security clearance applications, such as spouses.
OPM has said that anyone who underwent a security clearance background investigation through OPM in 2000 or afterwards is likely affected by the latest data breach, though there is some overlap among the individuals whose data was compromised in the two breaches.