Imagine walking around as a victim of a crime and not even knowing it. That’s the case for a couple million Americans. The Office of Personnel Management (OPM) has yet to notify two million people that they were the victims of a massive data breach from more than a year ago.

Some 21.5 million current and former employees and some of their family members were victims of two separate data breaches of personal information such as names, Social Security numbers, and addresses—more than enough info to do damage to victim’s credit. The first breach hit about 4.2 million people, while the second breach hit the background information submitted for security clearances. 

OPM began notifying those individuals about the breach and their eligibility for identity restoration services and insurance costs related to identity theft. Free identity and credit monitoring services are also available, but victims must apply. Unfortunately, 10 percent of the letters to victims were returned due to incorrect or changed addresses.

OPM’s Acting Director Beth Cobert isn’t too worried. Federal News Radio reports her comments:

“We have worked to get updated addresses for those whose letters were returned and we are now remailing letters to those who did not receive their original notification letter for the background investigation records incident,” Cobert said “The letter being mailed will clearly state at the top that it is a duplicate of the letter previously sent, but not successfully delivered.”

OPM launched a new website with an in-depth FAQ section of dozens of answers to common questions. So what should those who suspect they were victims but have not been officially notified because their address changed do? Be proactive:

OPM attempted to obtain the best available address for individuals using government and commercial sources. If you believe you may have been impacted but did not receive a letter, we have partnered with the Department of Defense to establish a Verification Center. You can contact the Verification Center to provide your current address where your letter will be mailed. Please note that your address will not be updated in any other government database.

That’s convenient for OPM but not for victims, who may be clueless that their personal information was even stolen. Let’s hope OPM is successful in tracking down those two million people, but we’re not optimistic.

OPM is patting itself on the back for its new website. However, a slashy page with a bunch of questions is far from what needs to be done to protect the private information collected and stored by OPM.

Other federal agencies are no better. As we reported recently, a recent Government Accountability Office (GAO) investigation exposed massive security gaps at several federal agencies because they failed to implement critical security precautions. Guess, which agency is among those slacking on data