Only a quarter of OPM hack victims notified

Three-quarters of the 21.5 million victims of the hack on the Office of Personnel Management (OPM) still have not been notified, six months after the breach was detected.

{mosads}About 5 million notifications have been sent out so far, an agency representative told Reuters on Tuesday.

The OPM began mailing notification letters in partnership with the Defense Department at the beginning of October, alerting victims that their data was compromised and describing the suite of identity protection services they will receive for three years.

At the time, OPM acting Director Beth Cobert called for patience throughout the notification process, which she warned could take “considerable time.”

“Given the sensitive nature of the database that was breached — and the sheer volume of people affected — we are all going to have to be patient throughout this notification process.”

Officials indicated that the process would take several weeks but declined to give a more specific estimate.

A notice on the Web site of the company tapped to provide the identity protection services — doing business as ID Experts — notes that they “estimate that notifications will continue to be made over a period of 12 weeks through the beginning of December.”

In October, the Defense Information Systems Agency awarded a separate $1.8 million contract to the technology firm Advanced Onion to locate and notify victims.

The timeline of the notification process has been under intense scrutiny, in part because the first contract was not announced until two months after the breach was revealed.

“We still don’t know. Has everybody who has been potentially impacted been notified?” Rep. Will Hurd (R-Texas) demanded in September.

“One of the forms you use in the background investigations is 100 or so pages. If you had a security clearance and your neighbors were interviewed, your neighbors’ Social Security Numbers and details were included. If you were married and let’s say you got divorced, was that divorced spouse notified?” Hurd asked.

The pressure is also high on both contractors and the OPM because the firm contracted to handle the first, smaller OPM breach — which compromised roughly 4.2 million personnel files — faced fierce criticism from federal workers and lawmakers.

Critics lambasted contractor CSID for having a website that crashed easily and lengthy phone waits to speak to a representative. Affected individuals were also critical of notification emails from CSID addresses that many people mistook for a scam.

This round of notifications will be sent via the U.S. Postal Service, Cobert said when the agency started mailing notifications last month.

“Email will not be used,” Cobert said.