In response to the massive OPM data breach, the government has been searching for a vendor to provide identity protection services for the almost 22 million individuals affected. Bids were due last week, and the chosen vendor will have 12 weeks to send out the notification letters. That means that some individuals might not even know that their data was compromised until close to Thanksgiving, and the information is likely to have been used by then.

Security experts advise that federal government employees and those who sought high security clearance should assume that their information was included in the breach and to take matters into their own hands—place a credit freeze on all accounts now to try to mitigate the risk of identity theft. It is already delayed and waiting until receipt of the notification letter may be too late.