When it was announced that a group of people hacked into Office of Personnel Management systems and stole over 2.1 million social security numbers, people were shocked. Sadly, it turned out those first reported numbers were far lower than the 21.5 million people who were really impacted, and the data breached was far worse than just social security numbers as over a million people had sensitive data like their fingerprints stolen.
Six months later and the government is now notifying the victims. Unfortunately, alerting over 21 million people is a difficult task. As reported by Reuters, there are still 1.5 million people who have not been notified that their personal data has been compromised. Although physical mail was sent out to everyone, the OPM database had out of data information on roughly 7% of individuals, so those pieces of mail were returned as undeliverable. The organization debated contacting people by email, but a previous attempt ironically resulted in emails that looked like phishing attempts, so they will instead close the gap by initiating a media campaign telling potential victims where to go to see if they were impacted.
Aside from the logistics of sending notifications out to everyone, it's important to note that researchers have seen no indications that the stolen data has been put up for sale, lending further proof to the idea that the Chinese government was actually behind the OPM breach. This may be the beginning of attacks against systems for reasons other than selling the data, as we wrote about in October.