You are here

Email from OPM – is it the real deal?

Share this page

Update (December 9, 2015): OPM discovered a second data breach that affects federal employees, contractors, and others. If you received a letter from OPM, please visit opm.gov/cybersecurity to learn more about what happened and to sign up for free identity protection services.

You just got an email saying your information was exposed in the OPM data breach. Wondering whether the email is the real deal or not? Here are a few things to look for:   

  • OPM will be sending most breach notifications by email between June 8 and June 19. The email will come from this address: opmcio@csid.com. If you get an email about the breach from a different address, then it’s a scam. Don’t click on any links or provide any personal information.
  • The real email from opmcio@csid.com will include your name, your PIN, a button to “enroll now” and information about the CSID Protector Plus program. If you prefer, rather than clicking the “enroll now” button, you can go directly to CSID’s website to enter your PIN and enroll.  
  • Here’s what to expect on CSID’s website: First, they’ll ask for your PIN or the last four digits of your Social Security number to make sure you are who you say you are. Next, if you choose to enroll in CSID's services you’ll be asked to provide additional personal information. 
  • OPM will not call you about the breach. If you get a phone call saying it’s OPM, then it’s a scam. Don’t provide any personal information. CSID, not OPM, is making all contacts about this breach. The contacts will be by email or US mail, not by phone. 

If you’re still unsure whether the email you got is real, check OPM’s website for more information and updates. If you think you’ve been tricked by a phishing email or a fake call, then file a complaint with the FTC and forward the email to spam@uce.gov.

Comments

There were two breaches at OPM. Earlier in 2015, OPM found out that people's personnel records had been stolen. OPM sent letters to those people earlier this year.

In June 2015, OPM found out that some people's background investigation information was stolen. OPM started sending letters to people affected by the background investigation breach at the end of September, 2105.

The letter you got from OPM should explain how to get services to respond to the breach that affected your information.

Bridget Small - I just received a letter stating all of my personal information including finger prints have been stolen. The response to provide identity protection for three years (starting 5 months PRIOR to me receiving the letter) is not an adequate response. With whom do I speak to address this matter? Will this require me to contact my congresspeople? Also, are we restricted to identity protection through ID Experts or can we enroll in a separate service. I'm uncomfortable providing more personal identifying information to a company I've never heard of.

People affected by the background investigation records breach are automatically provided with identity theft insurance and restoration services. Those individuals can chose whether or not to enroll for identity and credit monitoring services provided by the company OPM selected.

You may get additional information from the Chief Privacy Officer of the agency for which you work and the Frequently Asked Questions on the OPM website.

OPM guidelines from OPM letter, in bold: "Please note that OPM and ID Experts will not contact you TO CONFIRM ANY PERSONAL INFORMATION. (emphasis added) If you are contacted by anyone asking for your personal Information in relation to this incident, do not provide it." Very clear. Got it.

First section of Account Creation from "myIDCare (provided by ID Experts)" (quoted from the website): "Personal Information...The following personal information, ... is required to verify your identity..." Violation of OPM guidelines. Must be a scam. Very clear. Got it.

After all, it wouldn't make sense that compromised PII would be used to verify identity, or that OPM would decide to hinge the entire security of this process on a 25 digit PIN, which doesn't comply with the most basic password complexity requirements. Doesn't pass the sniff test. I'll wait for the real OPM letter. I mean, even the free checks I get from the bank have rudimentary anti-counterfeiting measures...

Given the set of victims of this negligence induced breach, I would expect the OPM to provide 1st Class, no expense spared mitigation.

To check whether the letter you received is from OPM, you can refer to the OPM website.

The OPM website includes images of the letters OPM sent to affected people. Follow this link to opm.gov and scroll down to "Actions You Can Take Now."

Of course all this makes sense, if you assume that OPM is run by idiots.

How can I verify if my ex-spouse and/or children are victims of the background investigation breach? Please note that any address, email, and phone contact info is out-of-date.

Is there a site (or, God forbid, phone number) to check to see:
1) whether their SSNs were compromised
2) whether, and to what extent, they are covered by the credit/identity monitoring services.

Go to opm.gov for the most current information.

The OPM site has questions and answers for people affected by the breach. There is information about spouses & family members.

If you were affected by the background investigation records incident, you and your dependent minor children are entitled to certain services from OPM. The resources on opm.gov  tell more about what's available for people who were affected.

I received a letter, and enrolled with MYIDCare; my fiancée' also received a letter. This confuses me since she is neither a service member, nor is has she ever been a federal employee. I did list her on my most recent security reinvestigation form, but no SSN. What information could have possible been stolen from someone listed on that form? Do I need to contact my other civilian references and tell them to beware of ID theft?
I'll standby for an answer before she signs up, and provides info to another database that can be hacked. This sucks!

You can get the most current information from opm.gov, or check with your employer's Chief Privacy Officer.

As of 11/27/15, the OPM site information has about the spouse/ partner/ family member of affected people:

Some background investigation forms ask for the SSN of your spouse or co-habitant. If you filled out a form that asked that, the other person will get a notification and will be able to sign up for services.

But some forms don't require the SSN of your spouse, cohabitant or other family members. You might have listed a spouse or family member's name, address, date of birth, or similar information, but not their SSN. In many cases, the information you listed is the same as what's generally available in public places like online directories or social media, and generally doesn't create the same amount of risk as if a SSN was exposed.

Here's my problem with this whole thing. You admit my data has been stolen, yet you need my data? Why don't you get it from the person that stole it.

A letter regarding my fingerprints, etc being compromised was just delivered to my home via the USPS.

There was no envelope, it was a letter that was folded in three sections with perforated edges (fold and tear). It shows that it came from OPM Notifications; 4 Columbia Pike Annex; Washington, DC 20370-1004. The Presorted First Class Mail U.S. Postage Paid imprinted (not a rubber or regular postage) on the letter says Indianapolis, IN Permit No 1310.

It has Office of Personnel Management as the letterhead with the phone number 800-750-3004 to enroll\ask questions as well as the website https://www.opm.gov/cybersecurity.

I have never seen or known of the street that this letter came from and find it suspicious and have not called the number or gone to the webpage (although it looks legitimate). Has anyone received a letter like I described?

The federal Office of Personnel Management (OPM) has a web address that ends in dot-gov, showing it is a government website.

You can type that address into your web browser and look at the information about cybersecurity and the breach of personal information. The website shows copies of the letters OPM is sending to people affected by the breach.

You guys had me convinced this was a scam. Glad I did what I did. You should too. Get off this thread and Google OPM. Their website is an official .gov website. On this website they talk about the 2 big security breeches and how they have been notifying people since 9/30/15. They explain the significance of this to you and your spouse, family, etc. And, most important, there is a copy of the official letter they sent out to people. And it's the letter I received.

Don't believe me? Go look for yourself.

I just received the letter (Nov. 27, 2015) about the breach. I had a Government security clearance once, and currently work for a company doing income tax preparation. The hiring process required a background investigation before hiring could take place. Both could be possible reasons for the letter. But sending all the information required via the I-net is troubling. How about a letter to OPM instead?

This just seems like a temporary fix for a long term problem. This is Just a bandaid for the ignorant masses of the affected. OPM needs to do a better job protecting there info sorry ment to say my info. Class action are two words OPM is more than likely not afraid of because of who the are. OPM probably sold all the info for enough to make a monthly payment on the loans from China.

Anyone notice that miss small never replies to those of us asking about suspicious information and circumstances? Also my father had his information "accidentally released" to the public about 10 years ago or so. Yes they offered him identity theft protection but it does no good. Over 10 years my father had had his identity used again and again. What good is a three year coverage plan going to do when you have to spend a lifetime dealing with this crap? My dad tried to apply for a new social but the government refused. Might as well be skipping pennies across a lake.

Might as well sign up not like I have to worry about my I.D. being stolen or any thing like that right? Kind of like buying a car alarm for a car that has already been stolen right?

How do we know the website is even real? Anyone could send out a letter with PIN #s on it and post a copy of what the letter should look like on a fake web page. We then go to their fake website and enter all of our private information thinking it is going to protect us. There has to be a more secure process than this.

I'm giving it a try as I already have had someone in Illinois using my SSN to work and no one in the government nor law enforcement seemed interested in helping when I contacted them. (How would I know if it is the OPM breach?)
My question, Ms. Small, is will be be charged for continuing this service after 18 months? Also, why are the credit scores not offered? (I can see the reports.) Thankfully I already have some other tracking going on to see mine but I do believe people should know it might not be the most thorough site for "one stop shopping".
I sincerely hope this service helps and is being utilized in good faith and not with motive to make money.

If your personal information has been misused, you'll find helpful information at identitytheft.gov.

There's information about what to do right away, how to correct your credit report, how to report a misused Social Security number and more.

Currently, the OPM site says that people affected by the background investigation incident will have services available to you and your minor dependent children at no cost for three years (until December 31, 2018). I didn't see anything on the OPM site about the cost of services after that date.

To stay up-to-date on the news and information, you can sign up for OPM’s cybersecurity email update list.

Any entity wishing to do contract work with the government has to first register with Dun and Bradstreet, which is the most unscrupulous, Brawndo-like corporation in the US. They immediately sell your information after you go through endless hurdles to "opt-out". Why should I think MyIDCare is any different? Further, I believe SAM.gov's disaster of a registration site is maintained by IT techs in India. How stupid is that? There is no reason whatsoever for me to provide my identification details to a 3rd party, which would only increase my vulnerability to identity theft. I wish I'd never gotten a clearance or registered in SAM.gov. If only I'd known what I know now about how our government has sold us out to the highest bidders. Makes me absolutely sick!

The security questions alone make this sound like a scam to sell our info to data mining companies like Spokeo, etc.

I got the letter via snailmail, to day. An immediate red flag for me was that it had a current address, but a previous married name I haven't used since 1977!!!!!

Have NEVER applied for a Gov. or Fed job. Why was my info compromised????

I think this is a big scam itself!!!!

I got the letter as well and not sure either if this is a scam. I am not a government employee. I don't want to be giving out my info either. Not sure where this came from.

Been following this for some time. Looks like a duck... Looks like phishing, must be. I think Bridget may be working for myIDcare. She has been spending alot of her free time from her supposed FTC job promoting this third party. I'm out, and will treat this as a scam! Don't give your information out to anybody that you are not completely comfortable with. We have all been taught to not follow links in email that you are not sure of. myIDcare through OPM is a scam!

If this letter is legit (yes mine looks like the one on the OPM website (an agency I have never heard of) but why was this letter not sent to those of us affected by certified mail? I mean I received a sexual harrassment survey certified mail and it was entirely less important than this issue! I am thinking about taking the letter to my local law enforcement agency to see if they can help.

In reading over the terms of use of myidcare, I can hardly believe that OPM is allowing the terms to be so bad. Even quoting any of the painful terms is against the terms, due to 14 E. In 4 B, they make no warrantee about any information they provide. Considering the reason that we're here in the first place, the worst terms are in 5.A.ii.3 - they are not liable for any failure to store our information. How can OPM be partnering with this company? It is like they are treating us with an evil laugh and "Ha! You're stuck with us, so we can put out whatever offensive terms we want."

I have searched on line regarding this action. In the letter it says that "OPM and ID experts wouldn't ask for personal info". They advise in the letter: "If you are contacted by anyone asking for your personal info in relation to this incident, do not provide it" And that is exactly what they do after you enter the PIN???!!! And it was not mentioned in the letter, that they will ask that. After I read the letter, I thought, oh, that's cool, I just give them that PIN and they will know who I am. I was in a shock they are acting exactly like a phishing scam.
Like the most people, it makes me extremely uncomfortable that after the data breach they ask me to enter on line my SSN, address, DOB.
Even if myIDcare is legit, doesn't OPM already have all our info? Why would we need to expose our info once again? If Chinese were able to hack government info, why wouldn't they hack myIDcare? Either way it is all gamble.

Ms. Small, why does the site we are taken to from the opm.gov page have a .com address: opm.myidcare.com? It is concerning that we are asked to enter ss# and other information on a .com website. Thank you.

The OPM website (opm.gov) has a link that goes directly to the contractor OPM chose to provide services.

You can read more about the contractor and selection process at opm.gov/cybersecurity. Click on the question that says "Who is the contractor providing services for the background investigation records incident?"

1. I find it interesting that only civilian accounts were breached. Suggesting an inside job.
2. Isn't this like closing the gate after the horse has already bolted.
3. This looks like an attempt to remove culpability by our untrustworthy Govt.
3. A class action Suit should be in order.

oh i think this is wonderful!

if you are screening the comments then you are acting illegitimately. Govt betrayal once again!

I just received the letter. I have never worked for .Gov, but applied for TSA precheck, which includes a background check. Could this info be included in the hack? If that's the case, we have a much greater problem. Thousands of civilians are now vulnerable to this cyber incompetency! I will wait this out until I have more info.

I received a letter, checked the OPM www site, and after initially logging in I found it wanted waay too much personal info.

I'm too uncomfortable about this. They have my info they can monitor this themselves, I'm not going to fill anything out. If I'm breached, they still need to fix it.

I received my letter today, 12/4. I did hold a civil service job for a short time earlier this year and also applied for another civil service test a few months ago. I'm confused because the letter was addressed to my married name and I've been divorced 25 years and ex deceased 21 years. When was my info stolen? Should I expect this letter in my current/maiden name?

Go to opm.gov/cybersecurity for the most current information.

The OPM site has copies of the letters it sent to people. There are different letters for people whose finger prints were - and weren't - compromised.

The site also says that OPM tried to locate the best address for people who were affected by the incident involving background investigation records. Unfortunately some letters have been mailed with old addresses or names.

there is a strong irony in giving so much information on the web because your information on the web was breached. Nevertheless, the letter with the five grouped pin number and the opm web site worked fine. I got credit report from all 3 services and will get email notices of any future breach.

also, free identity theft insurance

My son calls me this morning from NY that he has received a letter with Mom's name (over FL) and his NY address, from opm.gov with pin number. Advise Mom to contact with IDExpert. I have a basic question how could the Name and address scrambled in this letter? OPM.GOV and ID Expert are really doing any thing? Apparently, you have provided more personal information, i.e date of birth, etc to register. By the way, do you have to pay a protection fee to this IDExpert for their service?

Go to opm.gov for the most current information. There's information there about what to do if you get a letter in the wrong name, or with other mistakes.

In general, if you want someone to protect your personal information, you have to tell them your personal information so they know what to protect. You are not required to enroll in the services OPM is offering. If you choose to enroll in credit monitoring and identity monitoring, you will provide information so the company can monitor your information.

The federal government is providing the services to affected individuals for a certain period of time. While the government provides you with the services, you don't pay for them.

Domain opm.myidcare.com data: Registrant Name: Identity Theft Guard Solutions, LLC Registrant Organization: Identity Theft Guard Solutions, LLC Registrant Street: 10300 SW Greenburg Rd Registrant City: Portland Registrant State/Province: OR Registrant Postal Code: 97223 Registrant Country: US Registrant Phone: +1.9712424704 =================================== Bottom line: it's marketing scheme to involve people into the paid service, which is really not needed because major credit cards provide it for free + everybody can get the free credit report once per year. Not sure if it's a fraud (besides masking as federal service, again not sure if it's a crime) but definitely scum. Period.

If you were affected by the breach of background investigation records, OPM is offering you, and any of your dependent minor children who were under the age of 18 as of July 1, 2015, credit and identity monitoring, identity theft insurance, and identity restoration services through ID Experts.

If you choose to enroll in credit and identity monitoring, the government will provide the services for a certain period of time.

You are not being asked to pay for the service during the time the government covers you.

Credit and identity monitoring are different from the loss protection you have on your credit card. If your card is used without your permission, you can be held responsible for up to $50 per card.

You can get a free copy of your credit report, at your request, from each of the three largest credit reporting companies once every 12 months.

Each of the domain names are registered to one guy, Chris Kane. What security company would allow that? Even if Admin and Tech? And this guy has about nine different domains with the same category. Not doing this.

Admin Name: Identity Theft Guard Solutions, LLC Admin Organization: Identity Theft Guard Solutions, LLC Admin Street: 10300 SW Greenburg Rd Admin City: Portland Admin State/Province: OR Admin Postal Code: 97223 Admin Country: US Admin Phone: +1.9712424704 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: chris.kane

Never fall prey for FREE GOVT anything! Too incompetent let them steal my credit! They will get laughed at.

You need to give more exact identification info. Is opm.gov real? I got a letter, not email from them. They seem to want more personal info-a sure trouble sign. this is a real poor way to deal with info security!!!

OPM.gov is the website of the United States Office of Personnel Management. It is a federal government website.

You will find a great deal of information about the breach and the services OPM is providing to people affected by the breach at opm.gov/cybersecurity.

You are not required to provide personal information. If you choose to enroll in the additional services OPM is making available, you will give personal information to enroll in those services.

Pages

Leave a Comment