More than a million victims of a massive hack of U.S. government computer files have still not been officially notified that their data was compromised and that they are eligible for free credit-monitoring protection, officials said on Friday.

Office of Personnel Management (OPM)

The government this week finished sending notifications through the Postal Service to 21.5 million people affected by the breaches, said the Office of Personnel Management (OPM), the federal hiring agency that was hacked.

The intrusions, linked to China, began in May 2014 and were not discovered and announced publicly until a year later.

The postal notifications should be received by the middle of next week, but about 7.0 percent of those hacked, or roughly 1.5 million people, could not receive notification letters because their addresses have changed or are not on file, OPM said.

The hack exposed names, addresses, Social Security numbers and other sensitive information for current and former federal employees and contractors, as well as applicants for federal jobs and individuals listed on background check forms.

In an interview on Friday, an OPM spokesman said it would resend postal notices to updated or changed addresses and rely on a “media campaign” to tell people they can check online to see if their information was hacked.

“We’re going to clean up that 7.0 percent and get as close to 100 percent as possible,” OPM spokesman Sam Schumach said, calling 93-percent notification “a really high percentage.”

OPM will not rely on email notifications to close the gap. Victims of a smaller, related OPM hack were notified by email and given instructions about what to do, but some experts said the emails unfortunately resembled a phishing scam.

“It’s just not as secure,” Clifton Triplett, OPM’s newly appointed cyber adviser, told Reuters on Friday.

The government awarded technology firm Advanced Onion a $1.8 million contract to help locate and notify those affected by the data heist. More than $130 million was awarded to Identity Theft Guard Solutions to provide victims credit and identity-theft insurance for three years.

Cybersecurity researchers have said there is no indication that information from the hack has appeared for sale on online black markets and that this suggest the Chinese government, not criminals, stole the data trove.


China Says It Wasn’t Behind the Massive U.S. Government Hack

China is reportedly saying that the massive hack into the U.S. Office of Personnel Management was a criminal act perpetrated by hackers, and not a state-sanctioned cybersecurity attack.

That conclusion was mentioned in an article put out by Chinese state news agency Xinhua and was revealed by Chinese officials during a ministerial dialogue on fighting cyber crimes between both countries in Washington on Tuesday.

China did not reveal whether the attack, which exposed the personal information of more than 21.5 million people, originated from China itself. No motives were given for the cyberattack, and Xinhua did not mention whether U.S. officials agreed with China’s assessment.

The OPM cyberattack, first reported in June this year, is believed to be the largest government data breach in the U.S. so far. Hackers accessed the security clearance system of the federal agency and stole the addresses, health information, financial history, and other personal details of what amounts to 7% of the country’s population. U.S. officials have been putting Chinese hackers at the top of their list of suspects, according to the Wall Street Journal.