None of the 21.5 million federal employees and contractors whose security clearance data was hacked more than three months ago have been informed, officials admit.
The Office of Personnel Management (OPM), whose systems were breached by suspected state-backed Chinese hackers, said the Defense Department will start to notify those affected that their personal information was accessed by hackers "later this month".
The agency has said that anyone who underwent a federal security clearance background investigation through OPM in 2000 or afterwards is likely affected, which includes 19.7 million contractors and employees and 1.8 million "non-applicants" whose personal data was included in security clearance applications, such as spouses.
The compromised records could include embarrassing personal details, such as arrest records or information about drug use, generated by field investigators assigned to check out disclosures made in clearance applications, officials said.
The OPM, whose head Katherine Archuleta resigned over the incident in July, said notifications would continue over several weeks and "will be sent directly to impacted individuals."
It has also been announced that a $133m contract with a firm called Identity Theft Guard Solutions has been agreed to provide credit and identity monitoring services for three years, as well as identity theft insurance, to affected individuals and dependent children aged under 18.
The White House confirmed that an interagency group is considering whether responsibility for security clearance investigations should be shifted from OPM to another government agency.
Officials added that there is no evidence that the Chinese or anyone else had tried to use the hacked data for nefarious purposes yet.