The U.S. government on Wednesday began notifying the 21.5 million victims of a vast breach of background check information, the Office of Personnel Management announced Thursday.
Employees who applied for a clearance to handle classified intelligence, anytime between this spring and 2000, as well as their family members should look out for letters -- not emails.
The mailings will reveal for the first time whose fingerprints were stolen -- a group officials disclosed last week has risen to 5.6 million people, OPM Acting Director Beth Cobert said in an OPM blog post.
The letters also will include directions on how to obtain “at least three years” of free identity protection services, she said.
OPM, the agency storing the data taken, is keeping to a notification schedule announced early last month. The government first learned of the hack in April while deploying new security tools.
“As we have noted before, those impacted by this breach are already automatically covered by identity theft insurance and identity restoration services,” Cobert said. “However, the federal government is providing additional services that impacted individuals are encouraged to enroll in."
The letters will include a unique PIN the victim will need to register for the protections
OPM has not indicated whether the letters will specify for each victim the fields of data the hackers copied. It is believed Chinese cyberspies pried open investigative forms detailing the biographical histories, sex lives and medical issues, and other personal circumstances of some of the country’s top national security leaders.
Cobert said the “nature of the information involved has national security implications.”
Cybersecurity experts have said such data could be used to craft “spearphishing” emails that trick individuals into sharing intelligence with a seemingly trusted acquaintance – or to financially defraud people.
The 4.2 million victims of a smaller, related hack who were notified by email in June complained the alerts looked like spam mail and some messages when to their junk box.
To avoid scams, “note that neither OPM, nor anyone acting on OPM’s behalf, will contact you to confirm any personal information,” Cobert said.
It could be a while before past, present and potential federal employees learn the fate of their personal information.
While the Postal Service will begin delivering letters this week, “it could take considerable time to deliver them all,” Cobert said.
She expressed sympathy toward the millions of people affected by the historic breach of government and personal data.
“I understand that many of you are frustrated and concerned, and would like to receive this information soon,” Cobert said. “My personal data was also stolen in this breach, and I am eager to get my notification letter as soon as possible so that I can sign up for these services. However, given the sensitive nature of the database that was breached – and the sheer volume of people affected – we are all going to have to be patient throughout this notification process.”
The Pentagon, which is assisting with the notification effort, has hired a tech company to track down individuals whose letters are returned to the government. In about a month, a website will be available for people who have not been notified, but believe their data was netted by the attackers, to check whether their names are among the 21.5 million.