Millions of government workers whose information was implicated in this year’s expansive Office of Personnel Management hack still haven’t been notified, the agency revealed this week.
The agency announced Tuesday that it would contact 21.5 million federal employees and contractors “later this month” to inform them their information may have been accessed by hackers and that the notifications would continue over the “next several weeks.”
The news comes five months after the government agency claimed it would be sending notifications to individuals, back in June, when the incident surfaced.
The agency also confirmed Tuesday that its hired a contractor, Theft Guard Solutions, a/k/a ID Experts, to further look into the compromise. OPM claims its contract with the Oregon-based firm, valued just north of $133 million, will provide victims with credit monitoring, insurance, and other services for three years.
Michael McCord, the Comptroller for the Department of Defense, first requested $132 million via a “Reprogramming Action” (.PDF) at the end of July “to provide a suite of identity monitoring and recovery services” for those affected by the hack.
Those affected by the hack will apparently receive a letter through the U.S. Postal Service which will include a PIN that can be used to enroll in the new credit monitoring and identity monitoring services through the government contract.
The OPM previously spent $20 million to provide theft protection services for 4.2 million people involved in a “separate but related cybersecurity incident,” identified in April.
Information leaked by the hacks purportedly include workers’ Social Security numbers, dates of birth, along with employee performance records, employment history, employment benefits, resumes, school transcripts, and any military service documentation, along with 1.1 million fingerprints and findings from interviews conducted by background investigators.
Earlier this week a Los Angeles Times report claimed that attackers in Russia and China, who many experts have maintained are behind the OPM hack, are cross referencing data from the breach, along with other recent data breaches, like Anthem and Ashley Madison, to squirrel out U.S. officials.
While many of the victims won’t learn for another few weeks that their information was accessed, OPM insists that as of Sept. 1, anyone ultimately impacted by the hack will be covered by the new services.
“As of September 1, 2015, all individuals impacted by the background investigation incident will be covered by identity theft and restoration services,” reads one part of a F.A.Q. on OPM’s site.