The letter should be in the mail. That was the message from the Office of Personnel Management on Friday afternoon -- six months after disclosing an agency hack in which personal data on 21.5 million federal employees, contractors and their families was stolen.
The government has finished mailing 93 percent of the victims -- including the deceased -- notification letters offering three years of ID protection services, OPM officials said.
Mailing addresses could not be found for 1.5 million of the affected individuals. And OPM expects it will have to resend some letters because hundreds of thousands have been returned.
The attack -- suspected to be a Chinese-funded espionage operation -- grabbed background check records on security clearance applicants dating back to at least 2000, during which time many have moved.
The Pentagon last week officially launched a secure website that lets people check whether their records were compromised. Users can enter their Social Security numbers and other identifying details, along with their current addresses, to receive a status letter.
"Additional letters will be mailed as individuals contact the verification center or if we can obtain better addresses for letters returned to sender through the postal service," OPM officials said in a statement. "Due to security and privacy protections," the process of obtaining a yes or a no through the website "may take a few weeks."
As of Nov. 20, a number of letters had bounced back, though less than 2 percent of the 21.5 million total, according to Advanced Onion, a contractor hired to track down victims.
The letters provide a PIN for accessing credit monitoring, ID theft insurance and other protections. The government expects to spend $330 million over three years to cover the service.
Hackers got away with forms detailing the life histories, including medical problems, of intelligence and defense personnel, along with 5.6 million fingerprints.
"Together with our interagency partners, OPM is dedicated to delivering high-quality identity protection services to impacted individuals," OPM Press Secretary Sam Schumach said in a statement. "The interagency team continues to review the impacted data to monitor for any misuse, and the U.S. government will also continue to evaluate the coverage being provided and whether any adjustments are appropriate in association with this incident.”