U.S. has yet to notify 21.5 million data breach victims: officials

WASHINGTON - Two months after discovering that sensitive personal information on 21.5 million Americans was compromised in a hack of government databanks, none of those affected has been officially notified, government officials said on Tuesday. The officials from multiple agencies, who are familiar with an investigation into the breach, said the Office of Personnel Management (OPM), which oversaw the data, is working with other agencies to set up a system to inform the victims. One official at OPM, who declined to be identified, said that because of the complicated nature of the data and the fact that government employees and contractors often move among different agencies, it would be weeks before a mechanism was in place. The official said the government was trying to establish a centralized system rather than leave the notification to separate agencies. OPM is expected to hire an outside contractor but has not yet sought bids for the work. The head of the OPM, Katherine Archuleta, resigned last Friday after coming under heavy fire in Congress over the security breach, which was disclosed in May, and an earlier OPM hacking that was made known in April. Government officials suspect Chinese hackers were responsible. Almost all the 4.2 million people exposed in the earlier breach, which affected only basic job application data, have been notified, a U.S. official said. They have been invited to enroll in an identity protection program. The much larger breach discovered in May and made public last week involved much more sensitive personal information OPM gathered for security clearances investigations of current, former and prospective federal employees and contractors. They included 19.7 million contractors and employees who applied for security clearances, and 1.8 million "non applicants" whose personal data was included in security clearance applications, such as spouses. OPM has said that anyone who underwent a security clearance background investigation through OPM in 2000 or afterwards is likely affected by the latest data breach. There is some overlap among the individuals whose data was compromised in the two breaches. - Reuters