You are here

Email from OPM – is it the real deal?

Share this page

Update (December 9, 2015): OPM discovered a second data breach that affects federal employees, contractors, and others. If you received a letter from OPM, please visit opm.gov/cybersecurity to learn more about what happened and to sign up for free identity protection services.

You just got an email saying your information was exposed in the OPM data breach. Wondering whether the email is the real deal or not? Here are a few things to look for:   

  • OPM will be sending most breach notifications by email between June 8 and June 19. The email will come from this address: opmcio@csid.com. If you get an email about the breach from a different address, then it’s a scam. Don’t click on any links or provide any personal information.
  • The real email from opmcio@csid.com will include your name, your PIN, a button to “enroll now” and information about the CSID Protector Plus program. If you prefer, rather than clicking the “enroll now” button, you can go directly to CSID’s website to enter your PIN and enroll.  
  • Here’s what to expect on CSID’s website: First, they’ll ask for your PIN or the last four digits of your Social Security number to make sure you are who you say you are. Next, if you choose to enroll in CSID's services you’ll be asked to provide additional personal information. 
  • OPM will not call you about the breach. If you get a phone call saying it’s OPM, then it’s a scam. Don’t provide any personal information. CSID, not OPM, is making all contacts about this breach. The contacts will be by email or US mail, not by phone. 

If you’re still unsure whether the email you got is real, check OPM’s website for more information and updates. If you think you’ve been tricked by a phishing email or a fake call, then file a complaint with the FTC and forward the email to spam@uce.gov.

Comments

By the way, I cannot get to the site to put in my pin from my gov computers. I have all TLS and SSL opens selected and still I get page cannont be displayed. Phone line is 1hr wait.

Who is Bridget Small, and why does every one of this person's responses begin "Go to opm.gov for the most current information.On June 19, 2015, the OPM website said ..."?????
Most government employees and retirees can read, have already been to the OPM website, and are reacting to the (typical) inadequate and poor information presented there. Instead of parroting this introduction each time, how about realistically and practically addressing concerns that are presented in these customer comments instead of assuming the customer's can't read or haven't already done so?
I will personally NOT provide ANY of the PII requested by this alleged company until I get trustworthy information directly from OPM that openly addresses the exact problem, presents the detailed steps that have been taken to prevent it from happening again, and gives well-thought-out action guidance to employees and retirees, i.e., NOT like the government's last Health Care Database debacle, and NOT like this current epic failure!

Good morning.  I am Bridget Small, a staff person in the FTC's Bureau of Consumer Protection, Division of Consumer and Business Education. 

People read and comment on our blogs days, months, sometimes years after they're posted. The blog you're commenting on was posted 12 days ago. New information can emerge after we post a blog. In fairness to all our readers, including those who aren't directly affected by the OPM breach, and/or aren't following it closely, it's important to be clear about what was known when, and where to go for more information.

Who authorized OPM to give my personal information to CSID.COM? CSID asked personal validation questions on their site that ONLY myself and OPM could know, and I did not waive my right to privacy when I initially supplied the information to OPM for my security clearance.

Great point! I stopped at that very screen because it just seems so ridiculous.

I have tried to call CSID for two days. I called at 9:00 am and the waiting time i90 minutes. I am today on the phone and the waiting time is now44 mins from 90minutes this morning.
I don't want to give my SS on the computer.I called OPM because my password has expired so now I have to wait 7 days to get a temporary password from OPM.I am terrified. It

When will they fix the web site so that I can logon? Last few days have tired to logon and see a we are having tech difficulties message with a 1 -844 phone number. This is almost like back when Obama care web site went up. There were issues.

I can't believe OPM would send an email. I received letters by mail in the past. They do not have my email. So the information I received was from the FTC and not OPM. I did not get a letter, so for this to be true, I question the information to the highest as many more are stating in their comments. I have not as today June 25,2015 received any letter or email concerning a breach in our personal information. Although the FTC is part of our government. They could have gotten information before us and those of us who are receiving emails from the FTC was notified in that manner. I appreciate the FTC keeping up with what is going on in our government. It keep us up to date on inner cities activities, this is my word for inner circle of our government.

Go to opm.gov for the most current information.

If you are a current or former federal employee and your information was affected by the breach, OPM will notify you by email or mail. Email will come from opmcio@csid.com.

The FTC is not sending notices to affected people. If you get an email that is not from opmcio@csid.com, and it says it's about the breach, don’t reply, click on any links, or open any attachments.  Read more about Phishing in this article.

Just got a letter 2 days ago from OPM. From chief information officer regarding data breach. I retired 8 yrs ago, Still debating if I have to sign up with CSID free protection plan for 18 months, after reading all the comments I have doubts and don't really know if can trust CSID giving them all my personal info! I

On CSID website: "Every affected individual, regardless of whether or not they explicitly take action to enroll, will have $1 million of identity theft insurance and access to full-service identity restoration provided by CSID." Sure sounds like we don't have to enroll to receive the same protection. So why give CSID our personal information.

Go to opm.gov for the most current information.

The OPM website says that if you want credit monitoring and identity monitoring services you have to enroll for the services using the code that came in your notice.

After entering personal information on the CSID site and getting no response I am afraid to further enter personal information that may not be secure, and don't know where it is going.
Why didn't the OPM test the system before implementing it?
It seems to be causing more harm than the breach.
Being retired Navy, I do not get the protection that current employees get by the IT monitoring they provide.
Shouldn't the OPM announce that the notifications has been cancelled. Or if get through may take many hours and possibly many crashes trying to get through?

I signed up for the CSID protection yesterday afternoon. I noticed that the SSN trace report showed some ridiculous address in my record (Bluefield College, Bluefield, VA). I called CSID this morning. Their response was that they could do nothing, explain nothing, and if I wanted to pursue this to contact my “local public records facility”.

Five minutes ago, I received a solicitous call about lowering my credit card interest rates; the first ever on my mobile phone.

It took CSID less than 24 hours to sell my identity. Completely worthless.

From CSID website: "Every affected individual, regardless of whether or not they explicitly take action to enroll, will have $1 million of identity theft insurance and access to full-service identity restoration provided by CSID." Notice the statement "whether of they explicitly take action to enroll".

It seems that we don't have to enroll to receive the same protection.

Wow! Got my snail mail letter today. I checked the website on Thursday and was assured that all snailmail would be delivered by June 19. Today is the 27th (8 days after the last possible delivery date). So I go to CSID (through the opm.gov website. Of course after entering my PIN to prove it is me, I am asked for my full SSN, DOB, address, holy cr@% that is a lot of information for someone who just linked me to the PIN I provided for proof. I don't know what to do. I don't want to give all of my PII. Surely there must be a more secure way to enrich the stockholders of CSID. Any ideas on how to sign-up for the protection without giving up all of my protection?

Go to opm.gov for the most current information.

The information on the OPM website explains what you saw on the CSID website. According to OPM, if you want credit monitoring and identity monitoring services you have to enroll directly by entering the activation code you got in the notice, establishing an account and correctly answering a set of authentication questions.

In general, if you want to get identity protection, you have to provide information to prove you are who you say you are. A company might ask for your social security number and other information to establish your identity so they can connect you and the accounts you want them to monitor.

why would they ask for your info, when dod OPM already has my records? I do not trust this.

If you got a legitimate email from “OPM CIO” at opmcio@csid.com, it has a link that takes you to www.csid.com/opm (external link).

OPM said that anyone who is affected by the breach is automatically enrolled in full service identity restoration (to help you to repair your identity if needed) and up to $1 million in identity theft insurance (to reimburse your expenses if your identity is stolen).

You have a choice about whether to enroll in CSID’s credit monitoring and identity monitoring services.  If you enroll, CSID will ensure that your credit and credit card accounts are monitored for suspicious or fraudulent activity.

If you want to enroll, you have to give personal information to prove you are who you say you are.

Go to opm.gov for the most current information.

I retired 5 1/2 years ago and received the email Friday 6/19 after 35 years with DOD I Googled about the email and I am not sure if I want to complete the form from the link in the email after reading comments here. It is too much private information they are asking in light of the massive security breach. I worked in IT and remember all of the training we received regarding phishing and other ways to get our identity.

CRAZY...got the CSID letter but the addressee was NOT ME. The address is mine. Called CSID (very friendly). Gave my name & last 4 SS; was told I had been breeched and need to go to the web site to enroll. She gave me my pin over the phone. She was NOT concerned about the addressee and their pin# on the letter...said the person would call if needed. I want to do the RIGHT thing but don't know whether to enroll or NOT...retired from Fed 7 years ago. What should we do and WHO can we TRUST????

Go to opm.gov for the most current information.

OPM said that anyone who is affected by the breach announced on June 4, 2015 is automatically enrolled in full service identity restoration (to help you to repair your identity if needed) and up to $1 million in identity theft insurance (to reimburse your expenses if your identity is stolen).

If you're in that group, you have a choice about whether to enroll in CSID’s credit monitoring and identity monitoring services.  If you enroll, CSID will ensure that your credit and credit card accounts are monitored for suspicious or fraudulent activity.

If you want to enroll, you have to give personal information to prove you are who you say you are.

Received my CSID letter and if that doesn't have the air of spear phishing, I don't know what does. Login to this "special" website and enter your PII. ToS reads ... give us your PII, but you can't hold us or third parties accountable if something goes wrong. And the domain csid.com registered by GoDaddy and registrant info is "domains by proxy." I have no confidence.

They probably have all our nuclear coned and we don't even know yet. SMH

Does my personal information expire after 18 months? Why only 18 months of monitoring?

good question? Maybe the future will show there is some monetary kick back from the Company

There are several lawsuits in progress to change the limits. Will have to wait and see.

I worked for the Fed for over 38 years. I did quite a bit of work in IT. Security was always a high priority, so nine years after I retire, these --- drop the ball on us. I am disappointed. The government is suppose to protect us from all enemies both foreign and domestic. I guess they forgot that part of the oath.

Why hasn't there been something published in regular media about this? Between the sharing of personal information by OPM with CSID and the bogus looking e-mail from a non-government site, there needs to be a public, widespread explanation by OPM.

I thought the e-mail was crap, so did not click on anything. Bridget Small: please share this with OPM. Or should we just pass this on to the congressional committee and press ourselves? thanks

Go to opm.gov for the most current information.

If you got an email or paper mail notification from OPM, but didn't respond to it, you can contact CSID to see if you're eligible to enroll. Current and former Federal employees can call CSID at 844-777-2743.  (International callers: call collect at 512-327-0705).

  • 7 a.m. - 10 p.m. CST (Monday through Friday)
  • 8 a.m. - 8 p.m. CST (Saturday)

OPM is making this too cumbersome for current employees. All OPM has to do is provide a check box for opt in/out for monitoring in our personnel account. Verify info and send it on over to csid. Getting error code when try to sign up via indicated website.

Attempted to use their website today...said my username was previously used. Changed username...said my pin was previously used - all this after having input my PII. Not cool and they shouldn't lie about their capabilities or the fact that they haven't been out in front of this and are still not prepared to handle the numbers being thrown at them.

The thing about not being contacted by phone are WRONG. I received a call yesterday from the Census emergency response line, asking if I had received the e-mails they sent. It was a recording & only asked for a yes or no answer. It was real because that phone # is stored in my phone & was identified as the emergency response # used to check up on us in case of a disaster, like a hurricane, so you need to update that.

OPM is not contacting people about the breach. If you get a phone call saying it’s OPM, then it’s a scam. Don’t provide any personal information.

It sounds like you got a call from an agency that had your number because you gave it to them.

My email and address has changed; am on non pay status with irs. How do I find out if I'm effected? Don't really want to hold on the phone for 2 hours

Go to opm.gov for the most current information. There are questions and answers there about many topics.

If you were affected by the incident that OPM announced on June 4, OPM would have sent you an email or paper mail notice. OPM was sending notifices by via postal mail to the last address the agency has on file. OPM said it checked addresses with the National Change of Address (NCOA) service before it mailed letters.

Why is it that I cannot go to my OPM retirement site to determine if my info has been included in the hack ? All I read is that the OPM is sending letters and emails to " those affected".. Am I to assume as I got no letter/email my info is still secure? I am suppose to assume that no email no letter means no breach ? BS to that, OPM should be able to confirm YES your info has been taken or No your info has NOT been taken to every employee .. simply amazing

I don't know how anyone is supposed to know what is what. I just received an opm.gov email from a Janet Barnes with the following message "You have been chosen to receive a private donation. more info contact (michaelduncan@yeah.net)=" That sure doesn't sound like anything that should be coming from a government email account! Obvioualy, I did not contact the email address, but feel that opm.gov should investigate who is using there email account.

Entered once, not sure it went through. Just got my e-mail 2 days ago, what took so long? I believe that we should receive identity theft protection for LIFE and with one of at least the top 10 companies. Otherwise the identity thief can just wait 18 months and then use our information unless WE pay for identity theft protection ourselves for the rest of our lives. This happened through no fault of our own, not fair!! Whatever happened to taking responsibility for your mistakes and paying the price? I also agree with a previous post from someone who contacted CSID, who authorized the OPM to give them our personal information????

My notification came from a third party - CSID - on mixed CSID/OPM letterhead. Signed by the OPM CIO. With regular commercial (machine) postage. I was skeptical. However not so much after a brief search.

The OPM site on this subject says "For questions about the personnel records incident only, please call CSID at 844-777-2743" Which is the see Official OPM statement "Information about OPM Cybersecurity Incidents"

CSID can be hacked as easy as the government. They protect us by gather our data. Explain the deep security arrangements that CSID has made to protect who they protect?

I have received telephone calls on my home and cell phones, I have NOT received a letter in the mail. However, when I called the 18447772743 number they said I was included in the Breach and to use the provided number to sign up on the CSID website---then asked for DOB & SS info. At this point I called the Philadelphia Census Office and Administration couldn't answer questions. I also received an email - without a PIN number included.
They stated that the PIN can only be used once, more or less "forcing" you to enter additional PII to get the coverage being offered. I chose not to enter and called the telephone number again and they stated a new PIN would be issued if I needed to continue the process. I son works for the DOD as a civilian and he has not received any notification about his PII being part of the breach, although he falls within the data breach content of having a background check after 2000. Will anything be done? As a Census employee who must insure my clients that all information is encrypted and safe, they give me SS#'s etc, now how is this going to hinder the responses of those when I go and try to gain their "TRUST" This will result in lower response rates, etc for the Census Bureau employees!
The email I received was from:
conf-784768321@everbridge.net now that really makes you think it is from the government, without a PIN and haven't received a letter!
Government should pay for protection for life of employee and spouse or partner!

I got a letter. Why is the website www.csid.com/opm asking for my social security #. Shouldn't the social Security # be linked to the pin? I'm not comfortable with this.

This thread is fascinating. Bridget Small could be some computer's attempt to win a Turing test (or a person's attempt to lose one).

Im very upset..the very person that sold my info in 24 hours is now asking me after 2 years of protection to pay for the service they stole in the first place!! Where is Obama in this matter? War Vets do not deserve this.. May God do something about this amen.

So I tried to enroll, it didn't work, and the system locked me out. Then I call the number, and they ask me for my SSN! Just to confirm that my pin wasn't available anymore. Then they tell me I won't be able to use this service until they get more pins, at some point in the future. Which could be weeks??? This is not right. If you're offering a service to ppl because you screwed up, don't make a mess of the fix as well. I was thinking about going back to work for the feds, now having second thoughts, maybe I should just write a nasty letter to Obama instead...

What do you expect from the Obama crowd? Too busy giving nukes to Iran.

Has anyone considered that this CSID was behind the original hack? Either to generate a very lucrative contract or in a more cynical and ingenious plan to get the final touches on all the partial information they stole the first time? OPM will not tell us what or even if they vetted this company. They already have all our info from OPM (weather we agree or not, we simply were not asked) so why on earth would they need all the additional info again if not to validate what they already stole?

Thank you, finally someone who actually makes sense of all of this.

I am worried about giving my PII to a contractor who will have all of my information in another database that could be hacked. Then I realized that CSID has our information already because they are verifying our data for monitoring. I wonder if the services are worth it since they will notify us if they notice our information being used such as our SSN with a different name. It is not clear to me that they take any steps to stop it. Is it correct that they only observe and notify? Does the SS Administration know who has been breached or is that a separate action that we must take individually?

Pages

Leave a Comment