More than a month and a half after finding out that hackers had stolen highly sensitive data from its security clearance systems, the US government's human resources arm has yet to notify millions of government employees that their data was stolen.
These government employees are part of a second breach at the Office of Personnel Management (OPM), which the agency detected in early May, a month after detecting another one, which affected the personal information of around 4 million workers.
OPM has started to notify the victims of the first breach, although it has failed to do it properly, sending notification emails that looked like a phishing attempt. But for now, victims of the second breach are still being kept in the dark, despite the fact that they are at a higher risk of being targeted by hackers in other countries, since the data OPM had on them has been described as a "gold mine" for foreign spies.
The agency has yet to reveal how many employees are victims of the second breach, and that might be because it doesn't even know. On Monday, however, CNN reported that the total number of people affected, including the 4.2 that have been disclosed so far, could be 18 million.
OPM Director Katherine Archuleta appeared before the Financial Services and General Government Subcommittee in the Senate on Tuesday, her second public appearance since OPM revealed it had suffered two massive data breaches.
"We're working on determining the scope of that breach."
"We're working on determining the scope of that breach," she said during her testimony, adding that the agency is developing a notification process.
When Sen. Jerry Moran (R-KS) asked exactly how many people were or could've been affected in the second breach, she answered, "I don't have number for you on that."
During the hearing Archuleta declined to even estimate how many people could potentially be affected based on how many files the agency has, saying that some of "millions" of security clearance files include names and information of family members and friends of people who have (or have had or applied for) a security clearance.
An OPM spokesperson declined to provide more details regarding the scope of the breach.
"If there's anyone to blame, it is the perpetrators."
It's this second breach that has many experts worried. Having access to security clearance data, including data from the thorough application and adjudication process, makes it "fast and easy" to identify spies acting undercover, according to John Schindler, a security consultant and a former NSA counterintelligence officer.
"For American spies abroad, this can be a matter of life or death, and any personnel sent into countries where they could be targeted for kill or capture—which in the age of the Islamic State is a depressingly long list—need to be deeply concerned about how much the OPM breach has complicated, and perhaps threatened, their lives," Schindler wrote in The Daily Beast.
Other than dodging questions on how many people could be affected, Archuleta also refused to blame herself or anyone else at OPM for the breaches, despite the fact that OPM's Inspector General had for years warned that the agency's systems were vulnerable to attacks.
"If there's anyone to blame, it is the perpetrators," Archuleta said.
For millions of potential victims, who are still wondering whether their personal information, and perhaps even lives, are at risk, that might not be good enough.