In the two months since discovering that the sensitive personal information of 21.5 million Americans was compromised by a hack of U.S. federal computer networks, the government has yet to officially notify any of the victims, Reuters reported Tuesday (July 14).
Officials from multiple agencies told Reuters the Office of Personnel Management (OPM), which oversaw the stolen data, is working to setup a system to alert those affected but the mechanism will most likely still take weeks to complete.
While OPM recently claimed to impede 10 million intrusion attempts in an average month, the fact that such a massive breach in security was able to take place has cast a dark shadow over the office and its management. Just last week, OPM Director Katherine Archuleta resigned shortly after the office released the actual number of those left exposed by the considerable personnel data breach.
While it may have been understandable for OPM to take time confirming the full scope of the cyberattacks, as it needed time to perform its own forensic investigation, it remains unclear why there has been such a delay in reaching out to those impacted by the attacks.
An OPM official, who requested not to be identified, told Reuters the complicated nature of the data, coupled with the fact that government employees and contractors frequently move among various agencies, means it may be some time before all of the victims are notified. The government is attempting to establish a centralized system for notification rather than relying on separate agencies, the official said, also noting there is an expectation OPM may hire an outside contractor to perform the work.
Considering the nature of the data exposed, along with reports of the data breach going undetected for a full year, it seems there would be a higher priority placed on protecting those who have been impacted by first providing them with official notification.
In a recent agency release outlining the details of its internal investigation into the attacks, OPM said: “Following the conclusion of the forensics investigation, OPM has determined that the types of information in these records include identification details such as Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details.”
“Some records also include findings from interviews conducted by background investigators and fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen,” the statement continued.
While no official communication may be sent to victims for some time, OPM has confirmed that anyone who went through a security clearance background investigation performed by the office since 2000 can likely assume their information was compromised by the data breach.