This story has been updated with new details from OPM about the timeline for postal mail notification and the official launch date of the new site.
Anyone who has undergone a federal background check to handle classified information, or is a child or spouse of such an individual, now can visit a Pentagon-hosted website to check if personal data is in the hands of suspected Chinese spies.
The U.S. government quietly Nov. 17 launched "OPM Verify,” a public, self-confirmation tool for the 21.5 million victims of the Office of Personnel hack who have not yet received notification letters or need additional help.
"We're in a soft launch period," OPM spokesman Sam Schumach told Nextgov Friday evening. "It will be fully advertised within the next couple weeks," once all the mailed notifications have either been delivered or returned.
"We're right over the 13 million mark," and sending up to 800,000 letters a day, he said. All the notices should be in the mail by the first week of December, Schumach added.
"It is ready for prime time," Paul Temple, chief executive officer of Advanced Onion, the intelligence contractor that built the system, said earlier on Friday. "It is definitely up and running."
Temple and most of his employees were affected by the allegedly nation-state sponsored attack that snatched sensitive details on people who applied for a security clearance as far back as 2000. One developer in his building confirmed he filled out his own self-check form on the osd.mil website.
Advanced Onion would not provide a link to the site, because the company did not have permission from the government.
OPM started snail mailing ID protection information to hacked individuals Sept. 30, and "a significant amount" of the letters have bounced back to the government, though less than 2 percent of the 21.5 million total, Temple said.
Of the millions of notices sent, the majority that have been returned by the Post Office had invalid addresses, he said, declining to specify the number of bounce backs because he did not have authorization.
Advanced Onion, which was contracted by the Defense Information Systems Agency, also developed a tool that catalogs reasons for the returned mail and searches for accurate home addresses.
One way of tracking down victims is the new website.
People who believe they were exposed can visit the secure site, which is hosted on a military network, to learn if their personal information matches the stolen data. Users must enter their home address, email address, Social Security number, date of birth and certain other personal details, Temple said. The site informs users they will receive a response by postal mail within the next couple of weeks, he said.
Individuals who suspect they were hacked understandably might by wary of submitting their sensitive personal information to yet another database. There is always a risk of a data breach, but the new site uses the Defense Department’s IT infrastructure and applies additional protection measures, which Temple declined to discuss for security reasons.
Website users who receive positive confirmations in the mail are offered free ID protection services. The notices provide a PIN to enter at a website operated by a separate contractor, ID Experts, which allows them to register for three years' credit monitoring, ID theft insurance and other anti-fraud services.