You are here

Email from OPM – is it the real deal?

Share this page

Update (December 9, 2015): OPM discovered a second data breach that affects federal employees, contractors, and others. If you received a letter from OPM, please visit to learn more about what happened and to sign up for free identity protection services.

You just got an email saying your information was exposed in the OPM data breach. Wondering whether the email is the real deal or not? Here are a few things to look for:   

  • OPM will be sending most breach notifications by email between June 8 and June 19. The email will come from this address: If you get an email about the breach from a different address, then it’s a scam. Don’t click on any links or provide any personal information.
  • The real email from will include your name, your PIN, a button to “enroll now” and information about the CSID Protector Plus program. If you prefer, rather than clicking the “enroll now” button, you can go directly to CSID’s website to enter your PIN and enroll.  
  • Here’s what to expect on CSID’s website: First, they’ll ask for your PIN or the last four digits of your Social Security number to make sure you are who you say you are. Next, if you choose to enroll in CSID's services you’ll be asked to provide additional personal information. 
  • OPM will not call you about the breach. If you get a phone call saying it’s OPM, then it’s a scam. Don’t provide any personal information. CSID, not OPM, is making all contacts about this breach. The contacts will be by email or US mail, not by phone. 

If you’re still unsure whether the email you got is real, check OPM’s website for more information and updates. If you think you’ve been tricked by a phishing email or a fake call, then file a complaint with the FTC and forward the email to


GOD! IS THE USA REALLY A FRAUD? I want you to hear my story. I am a retired DOD civilian with 27 years as a mechanic on the F-15 fighter jet, America's number one pistol in a USA home invasion. For 27 years I was highly aware that even a small mistake was unexceptable, considering the magnitude of importance in the roll this plane plays in our defense. Now, CSID is supposed to be protecting and monitoring my personal information from identity theft. At the end of June 2015 and early July timeframe my credit card was breached and run to the max on a Sunday, when CSID doesn't see the importance of my protection to staff 24/7, knowing that financial institutions have a 5 day week. So the perpetrator had all day to have fun with my card because no one was watching. The following Monday I contacted by phone CSID with the information my card was breached. The pothead had no clue, the more I talked the less he learned, bringing to mind what in the world they were doing while this was going on. Considering I had finally managed to block the card with my bank's automated system. The pothead was totally unaware of the situation and told me that they were there to monitor and protect my identity. He did not have a clue that I was a victim and showed no concern. After several minutes of useless conversation I hung up frustrated and confused. I went to the grocery store just before 5pm after checking my local bank acct to ensure I had money in my debit acct. At check out at approx 5:40 my debit card was denied 4 times. The cashier explained it was showing insufficient funds, YES BY GOD, they had hit me again this time in my debit acct. I'm sure the pothead at CSID once again had no clue and I once again had to protect my own identity by pursuing a block through my bank after hours. Shortly after that I called CSID but nobody was home. Now as if that isn't bad enough on Sept 2nd I received an update email from CSID on my identity status. I was absolutely shocked when in big green letters "everything is fine with your accts". They didn't have a clue that the 2 cards, 1 credit 1 debit, were breached and blocked. They told me that I was in good hands and perfectly protected. Now I ask you what good is this company? I truly believe it is non-existent and nothing more than another Gov fraud, with a few low paid phone operators working out of an unneeded office or in a warehouse within the beltway. I don't even believe this thing exists. Do you? I'm sure that in another couple of months that I will receive another 'everything's great' email with big green letters from the great protector CSID.

According to information on the OPM site, if you were affected by the personnel data breach OPM is providing you with

  • identity theft monitoring service,
  • identity restoration service (to help repair any damage from identity theft), and
  • identity theft insurance (to reimburse for some expenses incurred becuase of identity theft).

You may want to use those services if you need help or have costs from recovering from the theft.

Also: identity theft victims can get free information and detailed tips for repairing identity theft at shows how to create your identity theft Affidavit and other documents you'll use to repair problems.

The site also explains fraud alerts and credit freezes, which you can place yourself. An alert or freeze makes it harder to get credit in your name.

It is clear in the story that this person is using the services that you bullet pointed. The problem is that their account is not being serviced. OPM is just telling them things are okay when clearly things are not okay. In this story the services do not work. Clearly.

Hi Bridget! The letter I received had me enroll at /cybersecurity. Everything appears legitimate, except I notice everyone on this post mentioning CSID. I don't see that reference anywhere. The company referred to me is ID Experts. I was about to complete enrolling, but this made me stop.

In 2015, OPM contacted two groups of people who were affected by data breaches.

In early 2015, OPM notified people who were affected by a breach of personnel data. OPM offered those people services through CSID.

In the fall, OPM notified people who were affected by a breach of background investigation records. OPM offers those people services through ID Experts.

Meanwhile, OPM is sending out emails with partial SSNs when you go through the job application process. I can't believe they are doing this.

I just received a letter on Saturday, Oct.10, from OPM Should I trust it? This is the first time that I have been contacted. Looks like others received their letters a couple of months ago.

Go to for the most current information.

On October 1, 2015, OPM said it would start mailing letters to people whose names and fingerprints were stolen in a breach of the OPM system.

The letter will have a personal identification number (PIN) number that you need to sign up for certain identity protection services.

No one from OPM will contact you to ask for personal information. You can choose whether to sign up for identity protection services.

I am taking my letter to the FBI. Bridget Small sounds like a troll to me. I don't trust this at all.

Good morning. I work in the FTC's Bureau of Consumer Protection. I'm one of the FTC staff who read and respond to blog comments with information and suggestions about additional resources.

It appears Ms Small, that you are overworked as you seem to be the only person in OPM -strike that -at FTC answering these comments. I applaud your patience.

I note that I need to receive info from OPM who passes me to ID Experts who passes me to their contractor CSID (Costco's current plan to purchase BTW}, but OPM or somebody also suggests I complete enrollment with myIDcare. When I search myIDcare it defaults to Medicare in almost all cases except for one search reply that states in part "myidcare com /secuirty andprotcion" .(There is a dot before the com that I removed to insure I did not send you a phishing web site). Those are their typos-not mine! So don't be surprised by all these comments with red flags flying all over. So is it ID Experts, CSID, myIDcare, or more out there? Can OPM see the debacle they have created?

I received a letter the same as you. I went to / cybersecurity, click on their link and it took me to MyIDCare as well. When the MyIDCare enrollment page pops up, there's no information about the company or how to contact them. I did a little more searching and found an address in Portland Oregon for MyIDCare. What is interesting to me is, you're the only post I've seen thus far that mentions MyIDCare. Everyone else talks about CSID. Not sure what to think.

Go to for the most current information.

There were two cybersecurity incidents at OPM. The first breach exposed people's personnel data. OPM sent letters in June 2015 to people affected by the first breach. OPM worked with CSID to notify people about the first breach and to help people get services.

The second breach involved people's background investigation records. In Septemer 2015, OPM started sending letters to people affected by the background investigation records breach. If your information was affected by the second breach, you can sign up for services from My ID Care.


I just got one of these letters in the mail under my son's name. He is only 15 years old, 14 when the breach notice went out. How can I find out if someone used his identity BEFORE the breach? Otherwise, why would the OPM send this in my son's name when my husband is the one who worked for the military.

Go to for the most current information.

On 10/19/15, the OPM site says that if you get a letter and PIN code from OPM, it means OPM determined your Social Security number and other personal information was stolen in a cyber intrusion involving background investigation records.

OPM is offering identity theft protection services to the dependent minor children of affected adults, if the kids were under age 18 on July 1, 2015.

If you or your children are affected by the breach, you automatically get identity theft insurance and restoration services. You can also enroll for identity and credit monitoring services.

Use the information in your letter and at to learn more.

Hi Bridget - your comment and the OPM letter and the OPM website all say that the protection is extended to children who were minors as of July 1st 2015. However, the ID Experts website will not allow you to enroll a minor child if that child has turned 18 since July 1st. Is there a way to confirm that children in this category will receive their own letter?

I just got may letter in the mail yesterday, read all available information on OPM/CSID had available about both Cyber attacks and read this whole page of comments and concerns still with no trust in this whole ordeal. Early this year I had my bank card used by an unauthorized individual in a different state within hours of using it myself, my account completely zeroed out and yet cleaned up that mess myself within the same week, so why should anyone trust another THIRD-PARTY company to take care of it for me, that hassle made me redo everything of importance then and now yet again do to this, so why would I go through yet more THIRD-PARTY's to keep my INFO safe when the Second-Party couldn't do it in the first place, to me the more people who put their trust into the cyber-security system the more people get hurt by it, I do personally believe more could come out of this but why should I take another risk with something I may regret. And to Ms. Bridget Small I have read all comments on here and there is no new information as of this post that I need to now I have looked into both OPM and CSID and read all available information they had/have on current subject as well as changing all my security that was in place, but I do appreciate your concern in helping others find the Information to help themselves.

OK, I got a snail mail letter last week about this. Apparently, the government could not adequately safeguard my PII.I'm now supposed to go to a dot-com website and provide a bunch of PII to them? I don't think so...

So let me get this straight. OPM was breached and lost my information. They have contracted the services of protecting my identity to a vendor which would like me to enter personal information onto a website to be stored in a database for my "protection". I don't see how we can possibly win in this cyber war.

I read many comments about 18 months. My letter received months after the breach said 3 years. I must really be in trouble. Also I did not pick it up here that there were two different letters that were almost indistinguishable and I could not tell what difference it made. One was to people whose fingerprints were stolen and one not stolen. What is the implications of the differce?

I rec'd the notification from OPM along with a PIN. The PIN did not work with the online sign-up...called the number in the letter. I was on hold for a long time, then connected to a guy with a heavy accent...LOTS of background noise...PIN didn't work for him....said I would have to speak with (?can't recall) for them to verify my identity. He read a TON of questions I would have to answer...Personal, private info. - I hung up! Tried the PIN a week later online...same issue. This is a very poor way to handle our privacy & identity breach!!!

I also noticed that on this letter I got from the "untied states office of personnel management" is that there is not date on the letter as being a military personnel I'm very wiry of being scammed but where is the date

Go to for the most current information.

As of today, the OPM website shows examples of the two different letters it sent to people. There are two different letters becuase there were two separate breaches of information.

Go to and look for the sample notification letters included as "Things You Can Do Now."

I went to the website and when I click on the cyber security link and it takes me to "MyIDCare". I see everyone mentioning the monitoring will be through CSID, so why does the link on take me to MyIDCare?

Go to for the most current information.

There were two cybersecurity incidents at OPM. The first breach exposed people's personnel data. OPM sent letters in June 2015 to people affected by the first breach. OPM worked with CSID to notify people about the first breach and to help people get services.

The second breach involved people's background investigation records. In Septemer 2015, OPM started sending letters to people affected by the background investigation records breach. If your information was affected by the second breach, you can sign up for services from My ID Care.

I received a letter today in the mail. Mine says to go to / cybersecurity to enroll in the identity monitoring services. The only problem is. It asks me for my personal information like my SSN. How can we trust a web site that we aren't sure about? How do we know it isn't a scam? I think I will just pay someone to monitor my credit/identity. Does anyone know for sure if this is legit?

If OPM sent you a notification letter and PIN code, that means OPM determined that your Social Security Number and other personal information was stolen in a cyber intrusion involving background investigation records.

If you were affected by the breach, OPM is providing you with identity theft insurance and identity restoration services. You don't need to sign up to get these services.

If you want the additional services that OPM will provide, you get them by signing up for My ID Care. OPM spells out how to do this on its website.

In general, if you want a company to protect your personal information, you have to share your personal information with the company, so it protects what you want protected. Whether you use services OPM makes available, or use services you choose and pay for, you will need to share your personal information.

My letter has 5 pins...why?

I have just received the letter from OPM.GOV too. I'm doing my investigation what it's all about.

You have just convinced me not to sign up with any services of that company, Bridget (or whatever you name is). Just read what had wrote. ", if you want a company to protect your personal information, you have to share your personal information with the company," I'm 100% sure it's all fraud.

The company sends you the "oficial letter" with a "PIN". The company claims that it is protection and WILL protect your PPI. BUT....HOW CAN YOU CREATE THE CASE concerning personal information that had been stolen if the company DOESN'T HAVE your personal information at all AND ASK YOUR SSN? ))))

What kind of government security protection agency is that if it offers you the service of protection and claims that your PPI had been stolen and it's monitoring that but actually DOESN'T HAVE your personal information on file? ))))) It's a scam. Be aware!!! The actual agency which has a case about you doesn't need any personal information and it doesn't offer you additional protection if it can protect you. THINK ABOUT IT

If you recently got a notification letter and PIN code from the federal Office of Personnel Management (OPM), not a private company, it means OPM determined that your Social Security Number and other personal information was stolen in a cyber intrusion involving background investigation records.

If you're in that group, OPM automatically offers you identity theft insurance and identity restoration service, but that doesn't mean OPM carries out the insurance and identity restoration functions.

OPM offers you the services, but other entities provide the services. You would use the services if your identity was compromised or you had expenses for restoring your identity.

If you choose to sign up for the additional services (credit monitoring and identity monitoring) you would provide personal information so the company could monitor your accounts.

If you don't choose to sign up for additional services, you still have access to the identity theft insurance and identity restoration services OPM offers.

The simple questions are.
Why the OPM offers the additional services? Why all protections can't go implicitly? Why anybody needs to sign for the additional services? Does it cost extra money? If OPM and the Government want to protect you and it has an insurance then why doesn't monitor you credit files automatically? All your financial accounts connected to your SSN and current address, name, etc. If OPM knows that your PPI had been stolen and has an insurance for you why do you need to ask for some additional service?
The second simple question is.
Why does the additional service ask for your SSN? If OPM knows that your PPI had been stolen then OPM ALREADY KNOWS your SSN. Otherwise how does OPM know that it had been stolen? )))
If some "protection" company that sent you a letter that your PPI had been stolen doesn't know your PPI then how does OPM know that it's stolen? How does OPM created the case about stolen PPI if it doesn't have that PPI? )))))
Sound as a BS

I looked at the OPM website extensively, Bridget, so I know what it says.
I got my letter Nov 14. It says my "fingerprints were likely compromised." I didn't feel the need to look at the two different example letters on their website. What kind of ignorance is that, anyway?

I checked out ID Experts' website, and it looks like another gov't vendor providing worthless service at great cost to the taxpayer. There was even a Better Business Bureau complaint on ID Experts. What kind of national cyber-security firm joins the local BBB, anyway? After reading all these comments, I'm not signing up with ID Experts. OPM initially used another vendor--CSID--who proved worthless; and I imagine that's the case with ID Experts, too.
May God protect all of us who were victimized. The US government is not gonna do it; that's who made our personal and our families' and friend's personal information available to terrorists and thieves.

Bridget: If we signed up for CSID after the first breach, should we sign up for myIDcare as well? I received a letter several months ago then signed up for CSID. I just received another letter saying I should sign up for myIDcare. Do I need both or does CSID do everything myIDcare does? Thanks.

You can choose whether to sign up for the services OPM is providing.

You may want to check what services CSID offers, what services My ID Care offers and whether they are the same or different before you decide if you want to sign up.  For example, how long does a service last? What does it cover?

Bridget, if you are who you say you are, then you should know that parroting the same words over and over is not doing a thing to reassure us. Clearly, we've all BEEN to the OPM site and are still suspicious! I for one would love verification from a REAL authority that this is not a scam. You're only adding to our skepticism.

 laburke -- People may reach the FTC site because they searched for a word or phrase. They may read one article, one blog post, or maybe just a few comments -- maybe only one comment.

Our responses are designed to help as many readers as possible, including those who read only a little. If you read many FTC articles, blog posts, comments and responses, you'll see some information repeated.

If you want more information than you found on the OPM and FTC sites, you may want to contact your agency's Chief Privacy Officer.

I received my postal mailing today and after reading these posts I'm not sure about all of this either. If my fingerprints,personal data, etc were compromised why then do I have to give all of that to some contractor...shouldn't they have that info already? Also, how much $$ damage will the government pay for any stolen or charges not made by me? Seems like the companies that you pay for this service will then back you for a certain amount of $$. Let me guess how much they will back me if I have some fraudulent charges....

Go to for the most current information.

As of 11/20/15, the OPM website says it will provide two services through ID Experts for the next three years to people affected by the background investigations breach. You don't need to sign up or pay for these two services.

1. Identity restoration service: If your identity is compromised, representatives from ID Experts will work with you to take steps to restore your identity.

2. Identity theft insurance for impacted individuals and their dependent minor children. The insurance became effective on September 1, 2015 and the coverage includes all claims submitted on or prior to December 31, 2018. The insurance covers you for expenses incurred in restoring identity and is valid for amounts up to $1,000,000 with no deductible.

OPM offers other services to affected people. You have to sign up for those services. Learn how on the OPM website.

Sooo, if you provide me with a 25-digit pin and then ask me to input the last 4 of my SSN, shouldn't that populate my information on subsequent pages? Why would I be required to provide additional PII, i.e. my entire SSN and date of birth, if you already have it to begin with? Why provide me with a pin at all? Why even ask for my last 4 digits only to request the entire SSN on the following page? If this is a legit site/program then its execution is extremely poor and instills zero confidence in the service provider. Additionally, the fact that you're going to send me a letter on a single sheet of paper that's glued together doesn't seem like a safe and secure way to address the issue of identity theft. And why when I click on the contact tab on the myIDcare site does it only provide a mailing address and the URL? Does anyone really work there? And why is Bridget Small the only one anwsering to this thread and why are her posts the same everytime? People want anwsers, not programmed responses telling us to go to a website.

Yes, I received that letter, and do not have time to figure out what it means, but at least if something suspicious occurs I know where to notify about it.

I agree with everything you just said. I just got my letter today and I'm hesitant to even put any info in. Even if it's legit, obviously they're handling it the wrong way. They let our info get stolen when it should have been secure (I mean come on government, if you can't protect your citizens information how can you do anything right...?) and now they want us to go onto some website to put all the personal info into a completely different internet database. This whole thing is ridiculous.

Just got the letter. PIN number did not work! Doesn't surprise this FORMER Oracle DoD developer who left because of having to deal with incompetent FEDERAL employees. Makes me sick that my very personal info was stolen. I doubt that I will be working for the DoD after next year because my clearance will be due a renewal, and why should I update my info for the Chinese?

I just rec'd a letter saying my fingerprints were compromised, but the odd thing is, is that the letter was addressed to my maiden name, which granted, was my name when I hired in, but the letter was mailed to my parents address. I wouldn't have used that as an address when I as hired. I used my own address. Very odd. I'm definitely hesitant to give any of my information to ID Experts. I already gave it to CS ID.

Bridget Small it appears from your repeated posts you may work for OPM or their ID Experts - Was this Breach at OPM only pertaining to Government employees? Does it include those who are civilians that have had contracts with government offices? The repetition in your posts sounds desperate rather than informative - It seems OPM is clearly trying to solicit their ID Experts, but why should we trust a business that was hacked? In no way am I willing to give person info to anyone over the phone or internet that I have no knowledge of other than a breached company OPM pleading me to do so - I don't believe it.

Dear Reader,

I work at the Federal Trade Commission.

As you'll see in our commenting policy, this is a moderated blog: FTC staff review comments before they're posted. We respond to questions and provide links to related information where possible. Because OPM is the primary source for information related to OPM breaches, I suggest that people go to the OPM site for the most current information.

Bridget Small

I JUST received my letter today telling me that my info was stolen. And logged onto the website it told me to enter in the pin and see what I could do about it. It's asking for all kinds of personal info. And I understand that to monitor everything, a bunch of info is needed to prove who I am. But this is a really poor way to go about doing things. Basically our SSN#s and more was stolen from a computer database and we're being asked to enter our info into ANOTHER computer database that it can be stolen from. If my information gets used, I swear I will sue for everything its worth.

If you signed up with MyIDCare, you agreed that any dispute you have with ID Experts will be arbitrated; you waived the right to a trial by jury or to participate in a class action. See opm. myidcare. com/terms

So do I sign up like the letter says? Or is that a scam? why do they need my whole ss#? Don't they already have it? Help? Confused :(

If you recently got a notification letter and PIN code from OPM, it means OPM determined that your Social Security number and other personal information was stolen in a cyber intrusion involving background investigation records.

If you're in that group, OPM automatically offers you identity theft insurance and identity restoration service.

You can choose to sign up for additional services:

  • credit monitoring
  • identity monitoring

In general, if you want to get identity protection, you have to give information that proves your identity. For example, you might have to give your social security number and other information so a company can locate the accounts you want them to monitor.

I just rec'd a letter in the mail from OPM. I did go to the website provided in the letter: , then I had two choices: to sign up for services or if I want more information. The more information side shows you what your letter is supposed to look like & the services page takes you to another page which explains the letter & there is a link to sign up for services, which takes you to a website:
There isn't anything for this CSID site-noted above, which when I went to it wouldn't accept the PIN number provided on the I'm super confused & not sure if I should sign up or not.


Leave a Comment