You are here

Email from OPM – is it the real deal?

Share this page

Update (December 9, 2015): OPM discovered a second data breach that affects federal employees, contractors, and others. If you received a letter from OPM, please visit opm.gov/cybersecurity to learn more about what happened and to sign up for free identity protection services.

You just got an email saying your information was exposed in the OPM data breach. Wondering whether the email is the real deal or not? Here are a few things to look for:   

  • OPM will be sending most breach notifications by email between June 8 and June 19. The email will come from this address: opmcio@csid.com. If you get an email about the breach from a different address, then it’s a scam. Don’t click on any links or provide any personal information.
  • The real email from opmcio@csid.com will include your name, your PIN, a button to “enroll now” and information about the CSID Protector Plus program. If you prefer, rather than clicking the “enroll now” button, you can go directly to CSID’s website to enter your PIN and enroll.  
  • Here’s what to expect on CSID’s website: First, they’ll ask for your PIN or the last four digits of your Social Security number to make sure you are who you say you are. Next, if you choose to enroll in CSID's services you’ll be asked to provide additional personal information. 
  • OPM will not call you about the breach. If you get a phone call saying it’s OPM, then it’s a scam. Don’t provide any personal information. CSID, not OPM, is making all contacts about this breach. The contacts will be by email or US mail, not by phone. 

If you’re still unsure whether the email you got is real, check OPM’s website for more information and updates. If you think you’ve been tricked by a phishing email or a fake call, then file a complaint with the FTC and forward the email to spam@uce.gov.

Comments

Ms. Small, you seem to have a lot of information. I want to believe you, but how do I know you are legit? Does the FTC after your name stand for Federal Trade Commission?

Yes, Bridget Small works for the Federal Trade Commission (FTC). Here's one of her recent blog posts: Hundreds of millions say “Do Not Call”

 

 

where do I get my pin number

Unfortunately you can't trust anyone, anywhere, anytime. There is corruption inside legit companies, or these legit companies, including the .gov's themselves can get hacked, i.e., OPM. So who do you trust? I feel sorry for my grandchildren, having to grow up and deal with this ever grown problem.

Although this was a major OPM data breach, can anything be done to prevent this happening in the future (encrypt the data)?

Many of these comments re the STUPIDITY of this CSID thingamabob are on target. Hey, if we can figure out the very serious problems associated with this approach (assuming that the email we get is legit in the first place), why couldn't the brilliant SES folks at OPM figure it out also? DOH. Argghhhh. Grrrr!!!!!

OPM identifying a contractors website and email header address on their home page for public viewing, A contractor (?) sending an email vice OPM mailing official letters to those affected by this SNAFU - really this is the best OPM got- then insult and alienate customers with OPMs lack of accountability and publishing official response as "not my fault". Give me a break why would I trust OPM email?

Why in the worls are they sending this notification from a .com address. It's raising more suspicions and confusion.

This is concerning. Its like a no win situation.

Exactly what I was thinking too!

I have questions regarding the OPM notification I received today? Is this a legit email? Why when I go to the CSID site it is asking for pertinent PII information that was comprised? I.e. DOB, mailing address and SSAN What is the relationship of CSID with the government?
QUOTE FROM EMAIL: These services are offered as a convenience to you. However, nothing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter or for any other purpose. Any alleged issues of liability concerning OPM or the United States for the matters covered by this letter or for any other purpose are determined solely in conformance with appropriate Federal law. Please note that these services are offered to the specific addressee of this letter and are not available to anyone other than the individual who received this notification
QUOTE FROM EMAIL: OPM takes very seriously its responsibility to protect your information. While we are not aware of any misuse of your information, in order to mitigate the risk of potential fraud and identity theft, we are offering you credit monitoring service and identity theft insurance through CSID, a company that specializes in identity theft protection and fraud resolution. All potentially affected individuals will receive a complimentary subscription to CSID Protector Plus for 18 months. Every affected individual, regardless of whether or not they explicitly take action to enroll, will have $1 million of identity theft insurance and access to full-service identity restoration provided by CSID until 12/7/16.

Go to opm.gov for the most current information.

On June 18, 2015, the OPM website says it is offering credit monitoring services and identity theft insurance with CSID to people affected by the breach. OPM says you can get more information on the company’s website, (external link) and by calling toll-free 844-777-2743.International callers can call collect 512-327-0705.

In general, if you want to get identity protection, you have to give a company information to prove you are who you say you are. You might have to give your social security number and other information so they can locate the accounts you want them to monitor.

I received a letter from OPM today as well. No email yet.

Why is my letter from csid and why should I trust them? Is this for real?

Go to opm.gov for the most current information.

On June 19, 2015, the OPM website said it is credit monitoring services and identity theft insurance to people who are affected. The services are with CSID, a company that specializes in identity theft protection and fraud resolution. You can get more information from the company’s website, (external link) and by calling toll-free 844-777-2743. International callers should call this number collect: 512-327-0705.

OPM suggests that you contact your agency's privacy officer to validate the communication you get.

Bruce, My letter is from "OPM Notifications". I wonder why the difference?

I live overseas. Got my email. Tried to login, but doesn't allow retirees living overseas the ability to enter their current overseas address. Do I forget about enrolling?

Go to opm.gov for the most current information.

On June 19, 2015, the OPM website says you can get more information about CSID from the company website, (external link) or by calling toll-free 844-777-2743. International callers can call this number collect: 512-327-0705.

It sounds like "Bridget Small - FTC" is part of the Phishing scam. Every question she is asked is replied to by “Go to opm.gov for the most current information.”. I also agree on the Turing Test.

According to the replies, it is impossible to contact OPM by phone (three hour wait). Also, I would NEVER give out my SSN, DOB, etc to ANYONE, especially a suspicious website. I entered my pin and the last four of my SSN, but the next page was prime material for identity theft. Giving then the last four of my SSN is not a problem and should be sufficient to identify me in order to sign up for their services, which according to my mailing are not required anyway, since they are already implemented.

I entered my pin and the last four of my SSN, but the next page was prime material for identity theft. To those who do signup for the “plan”, keep a careful watch on your bank accounts. I am also going to request a credit freeze from the credit agencies. That way no one can apply for a loan in my name. Banks have protection against unauthorized withdrawals. A final note. I went back and entered my PIN and SSN second time and wonder of wonders, it worked. So much for their "one time usage" statement.

Dear "Sounds like phishing"

I assure you, I am a real person, not a scammer. I work for the Federal Trade Commission. I suggest people go to the OPM site because OPM is the agency responding to the breach.

OPM provides two services automatically to people who were affected by the breach. But, if you want the additional services that OPM makes available, you need to enroll. You do not automatically get credit monitoring and ID monitoring.

You may choose to put a credit freeze on your file. But a credit freeze may not stop misuse of your existing accounts or some other types of identity theft. This FTC article tells more about credit freezes.

So i already submitted my information and now i dont know if it was the real site or not. Happy i didnt have my banking information put in there and now im the process of coming up with new email address. It terrible that we are in such a SHARING time in our lives that EVERYTHING has to be connected "to make it easier". Its no wonder ID theft is out of control. You dont know who is who, who is honest or who knows whats really going on

I'm just glad their pages are secure -- or are they? What happened to the padlock on the PII page? Unsecure data on a secure page? Typing the information into the fields is unsecure until submitted, so why is this not hidden? I tried to call the helpdesk -- was on hold for an hour before I hung up, but I am sure they would have "assured" me it is secure. This company is making hundreds of millions from the US govt -- Podunk company to super-rich player. The DoD has terminated the program until CSID fixes it -- guess it took someone with more smarts to make them at least APPEAR to be secure, than just telling people they are.

I was unsuccessful attempting to enroll on line due to an error-- have been on hold with CSID( 844-777-2743) for > 2 hours. Has anyone had success in enrolling on line or getting through to customer service? Next step? Calling my representative to inform them of the "non -fix" by OPM?

I was able to but she told me to use lower case and not to ad any punctuation.

I find it interesting that to combat the data breach, we are being advised to access yet another website and to release yet more personal information to a new website. Ironic, eh?

Bingo Bob...

All of you make such good points. Fact is I have been paying for Life Lock for years. To keep my secret clearance the govt runs my credit several times a year. I have always liked to keep my own eye on my own personal info. Beware when a agency that is making back room deals to offer free services, and then added products. This is not a government agency. It is a private company. There are many companies that do what they do. My health records were breached at Kaiser some years ago. Same thing. They sent out similar letters offering monitoring service. Fact is we are all at risk all the time. Just use PayPal, or EBay, I promise you fraud will be on its way in no time. Good luck all!

I called 844 777 2743. I was advised to access the website due to a 90 minute call wait queue.

Thank you all for commenting. You share my concern. I expected a letter and got an email. The sending email ends in .com, not .gov. I totally understand, Bridget Small, what the email says. Mine, and I believe the others' concern is with the process. One would have to be incredibly ignorant nowadays to blindly follow email instructions.

Everything sent out and claiming to come from opmcio@csid.com is exactly what a determined phisher would do. OPM itself claimed all that was stolen initially was names, SSNs email, etc. Great! Now, given that, how would I go about getting the users to tell me more? Sure! Pretend to be OPM, send email from a non-government web site, claim it's all okay.. A few percent of users fall for this trick, and now I have hundreds of thousands of bank accounts, investment accounts, etc. Who cares if 95% realize this is phishy? 5% of 14 million bank accounts is a whole lotta money.

Exactly the opposite practice of what we're told to do in annual IA/cyber awareness training. Stuff like this is supposed to be PKI signed and come from a .gov or .mil address. They don't practice what they preach.

I called and tried to explain that to them and they were completely ignorant about out training.

I am a retired employee and got only e-mail. No snail mail. Should I expect regular mail too? As it is very easy to falsify names I checked IPs. They asking me to provide name, SSN, address etc. at 72.3.201.109.Is this correct IP? Geolocation data from IP2Location(Product: DB4 updated on /1/2015) IP Address Country Region City ISP 72.3.201.109 United States Texas Dallas Rackspace Hosting Google Map for Dallas, Texas, United States (New window)I also looked at e-mail domains. Are they correct too? I clicked on the reply button and the address OPM CIO opmcio@csid.com> with IP 213.165.76.224 changed to
r-xdjdrcjrcjtpsstclvmsgdvghnhpbnysmpcdgblycchlgky @mail.csid.com with IP 96.46.132.64 Geolocation data from IP2Location (Product: DB4 updated on 6/1/2015)
IP Address Country Region City ISP 213.165.76.224 Germany Nordrhein-westfalen Dortmund 1&1 Internet Ag Google Map for Dortmund, Nordrhein-Westfalen, Germany (New window) Geolocation data from IP2Location (Product: DB4 updated on 6/1/2015) IP Address Country Region City ISP 96.46.132.64 United States Arizona Phoenix Azcentral Google Map for Phoenix, Arizona, United States (New window)

Just go to OPM's website, opm.gov/news/latest-news/announcements/ there is a redirection to CSID in the upper right portion of the screen. I agree another third party, but then OPM is not in the business of credit monitoring, hence the need to contract with them. That link should give those unable to tell a phishing scam some peace of mind.

SHAME ON OPM AND SCID! I SEARCHED THE OPM WEBSITE AS WELL AS THE SCID WEBSITE FOR ANSWERS TO SIMPLE QUESTIONS AFTER RECEIVING NOTIFICATION -- NOTHING! THEN I CALLED AND LEFT MY PHONE NUMBER AND WELL AS ON HOLD FROM ANOTHER PHONE. I AM NOW INTO MY THIRD HOUR OF BEING ON HOLD. RECORDING SAID 90 MINUTE HOLD TIME. AS A DEDICATED GOV'T EMPLOYEE WHO GAVE HOURS OF PERSONAL TIME FOR THE MISSION I DESERVE TO BE TREATED BETTER THAN THIS. ALTHOUGH NOT A UNION MEMBER, I HOPE GOV'T UNIONS RAISE A STINK OVER THIS AND MAKE HIGHER UPS ACCOUNTABLE FOR THEIR LACK OF SECURITY MEASURES. THANK YOU.

I got a letter yesterday, too. But I worked for the government over a decade ago and I suspect they don't have my current e-mail address.

I have spent my whole life protecting my identity and now this because I am a federal employee. I am totally disgusted and have been violated by my employer. Hopefully, what goes around comes around and God help us all that have to deal with the incompetence of others the rest of our lives.

Why in the world is the OPM CIO sending email from a commercial address, rather than a government address. It clearly looks like a fraudulent phishing attempt. Poorly done OPM!

Go to opm.gov for the most current information.

OPM is offering affected individuals an 18-month membership with CSID, a business, that will provide credit monitoring services and identity theft insurance. The OPM website has a link to CSID.

I got a letter on July 1 2016. It looked official, but that is not enough. My letter did not refer me to CSID. It referred me to MyIDcare. I don't trust it and will not provide the extensive personal info they request.

I got a letter today at MY PARENTS HOUSE, in my married name, but I haven't lived there since BEFORE I was married. The company I was referred to was not CSID or MyIDcare, but mine was for ID Expert. Yeah, I'm DEFINITLY getting a bad feeling about this.

it's ok

Maybe we ought to use Hillary's Private email server !

BS the emailer can't even use correct syntax and agreement in the text. Nice try.

The letter I got sent me to a web site that asked for my whole social, not just part of it. Not crazy about this on a ".com" site. OPM should have provided a '.gov' site instead.
Then, to make matters even more suspect, the page the letter sends you to is mixed encrypted information and non-encrypted information so it's security certificate may not be being used for the transfer of my social!! Another government screw-up in the works, OPM the sequel? "We lose your PII to times!"

Does the following mean that eventually we will have to pay for this service: All potentially affected individuals will receive a complimentary subscription to CSID Protector Plus for 18 months.

I tried to register. Put in the PIN and personal information and the computer froze up for a long time. Tried again and again the computer froze up with my personal information on the internet.

I left my govt agency three years ago and they do not have my current mailing or emaul address. I also live outside US now. How can I get this notice with csid pin?

Go to opm.gov for the most current information.

If a person was affected by the breach announced on June 4, 2015, and that person has left the government, OPM will send them a notification by postal mail to the last address the agency has on file. OPM will verify the address with the National Change of Address (NCOA) service before mailing a letter.

You may want to contact the privacy officer at your former agency for more information.

Found the email in my Junk Email. NMCI thinks it is spam. Why would any gov CIO send an email through a 3rd party. I was going to ignore this as a phishing attempt since I know the OPM CIO works for the gov not CSID. No wonder they are in trouble. CIO@opm.gov would be fine with me. Maybe their email server is bugged and running Windows 95. This CIO should be fired!

Pages

Leave a Comment