The federal government is finally getting around to notifying the 21.5 million people whose personal data may have been stolen in a massive data breach at the Office of Personnel Management, several months after the agency first revealed it had been targeted by hackers.
"Yesterday, we began mailing notification letters to the individuals whose personal information was stolen in a malicious cyber intrusion carried out against the federal government. Impacted individuals will be notified by OPM via U.S. Postal Service mail. Email will not be used," OPM Director Beth Cobert wrote in a blog post on Thursday.
Cobert said the letters will outline the theft protection and credit monitoring services being offered by the government for free, for at least three years, to those affected. The victims will also be notified of additional services they can enroll in at no charge.
OPM first announced in early June that the background investigation records of millions of current, former and prospective federal employees and contractors had been stolen in a cyber intrusion that started in early 2014. In mid-June, the agency disclosed a second larger attack that targeted information for millions more Americans who applied for security clearances. The fallout from the disclosures led to the resignation of Katherine Archuleta as director of OPM.
Last week, OPM announced that 5.6 million individuals' fingerprints were stolen in the cyberattack — more than five times the amount originally reported.
An interagency group of experts is reviewing potential ways criminals could use stolen fingerprint data. For now, Cobert said, experts believe those ways are limited.
As for why it's taken this long for official notices to go out to those affected, Cobert wrote:
"I understand that many of you are frustrated and concerned, and would like to receive this information soon. My personal data was also stolen in this breach, and I am eager to get my notification letter as soon as possible so that I can sign up for these services. However, given the sensitive nature of the database that was breached — and the sheer volume of people affected — we are all going to have to be patient throughout this notification process."
OPM spokesman Samuel Schumach told NBC News the timeline for notification isn't drawn out "given the nature of the data and the sheer amount of people impacted."
"We have taken the time needed to make sure we're getting this right," he said.