WASHINGTON (Reuters) - Fewer than a quarter of 21 million federal workers hit by a major computer hack have been officially told that their personal information was compromised, six months after the breach was detected, a U.S. government official said on Tuesday.
About 5 million notifications about the hack have been sent out so far, a spokesperson for the U.S. Office of Personnel Management (OPM) told Reuters in an email.
The slowness of the notification process underscores Washington’s struggles in dealing with its computer vulnerabilities, a growing problem that the Obama administration has been trying to address.
After it fell victim to two successive cyber attacks, both begun in 2014 and revealed earlier this year, OPM was roundly criticized by lawmakers for its response.
OPM had no immediate additional comment on the matter on Tuesday, or on its expected notification timetable ahead.
Officials have privately blamed China for the OPM breach.
The Defense Information Systems Agency in September awarded a $1.8 million contract to Advanced Onion, a technology firm, to help locate and notify victims of the OPM breach, which exposed names, addresses, Social Security numbers and other sensitive information of current and former federal employees and contractors. About 5.6 million fingerprints were pilfered, an upwardly revised number from an initial estimate of 1.1 million.
The notification process for the smaller of the two breaches, which affected 4.2 million individuals, raised alarm when victims were asked to follow instructions online in prompts that some said resembled phishing scams. Others complained of long wait times with support call centers. That episode prompted the government to pursue Advanced Onion to deal with the larger breach, a process that took several months.
It has been six months since the larger OPM hack was detected, and more than a year and a half since hackers first infiltrated the agency’s databanks.
In July, OPM Director Katherine Archuleta resigned amid growing scrutiny of the agency’s cybersecurity practices and its ability to respond to the breaches.
Officials have offered three years of credit monitoring and identify-theft monitoring services to hacked employees.
Despite the precaution, a prominent cybersecurity researcher said on Monday there was no indication any hacked OPM data was for sale on the black market, reaffirming the likelihood that the hackers were working for a foreign country.
Reporting by Dustin Volz; editing by Kevin Drawbaugh, Bernard Orr