The US government has not yet notified any of the 21.5 million federal employees and contractors whose security clearance data was hacked more than three months ago, officials have acknowledged.
The agency whose data was hacked, the Office of Personnel Management (OPM), said the Defense Department would "later this month" begin to notify employees and contractors across the government that their personal information was accessed by hackers.
OPM said notifications would continue over several weeks and "will be sent directly to impacted individuals."
OPM also said it had hired a contractor to help protect the identities and credit ratings of employees whose data was hacked.
In a statement, OPM said it had awarded a contract initially worth more than US$133 million to Identity Theft Guard Solutions for identity theft protections for the 21.5 million victims of the security data breach.
The contractor will provide credit and identity monitoring services for three years, as well as identity theft insurance, to affected individuals and dependent children aged under 18, the agency said.
Officials have said that compromised records could include embarrassing personal details, such as arrest records or information about drug use, generated by field investigators assigned to check out disclosures made in clearance applicants.
US investigators have said they believe the hackers were based in China and probably were connected to the Chinese government. So far US security officials have found no evidence that the Chinese or anyone else had tried to use the hacked data for nefarious purposes, officials said.
An interagency group is considering whether responsibility for security clearance investigations should be shifted from OPM to another government agency. The White House confirmed such a study is under way.