You are here

Email from OPM – is it the real deal?

Share this page

Update (December 9, 2015): OPM discovered a second data breach that affects federal employees, contractors, and others. If you received a letter from OPM, please visit opm.gov/cybersecurity to learn more about what happened and to sign up for free identity protection services.

You just got an email saying your information was exposed in the OPM data breach. Wondering whether the email is the real deal or not? Here are a few things to look for:   

  • OPM will be sending most breach notifications by email between June 8 and June 19. The email will come from this address: opmcio@csid.com. If you get an email about the breach from a different address, then it’s a scam. Don’t click on any links or provide any personal information.
  • The real email from opmcio@csid.com will include your name, your PIN, a button to “enroll now” and information about the CSID Protector Plus program. If you prefer, rather than clicking the “enroll now” button, you can go directly to CSID’s website to enter your PIN and enroll.  
  • Here’s what to expect on CSID’s website: First, they’ll ask for your PIN or the last four digits of your Social Security number to make sure you are who you say you are. Next, if you choose to enroll in CSID's services you’ll be asked to provide additional personal information. 
  • OPM will not call you about the breach. If you get a phone call saying it’s OPM, then it’s a scam. Don’t provide any personal information. CSID, not OPM, is making all contacts about this breach. The contacts will be by email or US mail, not by phone. 

If you’re still unsure whether the email you got is real, check OPM’s website for more information and updates. If you think you’ve been tricked by a phishing email or a fake call, then file a complaint with the FTC and forward the email to spam@uce.gov.

Comments

Got this letter in the mail today 12/5 does anybody have any new info on this breach

You will find a great deal of information about the breach and what OPM is doing for people affected by the breach at this federal government website: opm.gov/cybersecurity.

That is a website of the Federal Office of Personnel Management.

If you received a letter in December, it is probably about the breach of background investigation records. Look for information on the OPM site about that breach.

Is the recommended monitoring Co. MYIDCare for real for our breach for 3 years for free? ligidiment Why can't the government change 2 # on our SS# with our permission, this would solve the problem

the myIDcare is just a way to get you waive your rights in a class action lawsuit. Read the "terms of Service" BEFORE you check that box!:

THESE ARE THE TERMS OF OUR AGREEMENT WITH EACH OTHER. ALL OF IT IS IMPORTANT SO TAKE A FEW MINUTES TO READ IT CAREFULLY. BY ENROLLING AND THESE SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO THESE TERMS AND CONDITIONS.

THIS AGREEMENT CONTAINS AN ARBITRATION CLAUSE AND A CLASS ACTION WAIVER.

YOU UNDERSTAND THAT BY ENROLLING IN THE MYIDCARE PROGRAM FOR OPM (THE “OPM PROGRAM”), YOU ARE PROVIDING "WRITTEN INSTRUCTIONS" IN ACCORDANCE WITH THE FEDERAL FAIR CREDIT REPORTING ACT, AS AMENDED ("FCRA"), FOR IDEXPERTS, CSIDENTITY CORPORATION (“CSID”) AND THEIR RESPECTIVE SERVICE PROVIDERS, WHICH MAY INCLUDE CONSUMERINFO.COM, INC. (“CIC”), TO OBTAIN INFORMATION FROM YOUR PERSONAL CREDIT PROFILE FROM EXPERIAN, EQUIFAX, AND TRANSUNION, THE THREE MAJOR CREDIT REPORTING AGENCIES. YOU AUTHORIZE CSID AND ITS SERVICE PROVIDERS TO USE YOUR SOCIAL SECURITY NUMBER TO ACCESS YOUR PERSONAL CREDIT PROFILE, TO VERIFY YOUR IDENTITY, AND TO PROVIDE CREDIT MONITORING, REPORTING AND SCORING PRODUCTS AND TO PROVIDE THE ADDITIONAL PRODUCTS AND/OR SERVICES TO YOU, INCLUDING, BUT NOT LIMITED TO, ADDRESS HISTORY REPORTS, NAME AND ALIAS REPORTS, CRIMINAL OR SEX OFFENDER REPORTS, AND TO PROVIDE MONITORING AND/OR ALERTS TO YOU.

I'm guessing that Bridget Small is part of the scam. Do not believe her. Do not give out your personal information on their website.

 Johnnyk -- I'm sorry you guess I'm part of a scam. I'm not. I'm a federal government employee, working for the Federal Trade Commission.

The FTC provides this free blog and consumer education on dozens of topics in English, Spanish and other languages to help people spot and avoid scams.

I work for the FTC, not OPM. You'll see that I usually refer people to the OPM site for more information, because OPM is the agency that's helping people affected by the breaches.

If your information was exposed in a breach, you can read about what to do at indentitytheft.gov, or look at the questions and answers on the OPM site, or contact the Chief Privacy Officer at your agency.

You just repeat yourself, that's what you do.

Got this letter in the mail-box today ( 12-7 ), looks like Trouble DeLuxe to me. Think I'll be better served to run it thru the shredder and MOST Certainly don't call that 800-750-3004 phone number ! ! ! This whole dang deal smells like a dead skunk on a hot August afternoon !!! The little bird on my shoulder is saying " RUN !!! NOW ! ! ! "

FYI. If you've placed a security freeze on your credit with the credit agencies you can't complete the registration process. I didn't see any notice of this before or during the signup process and there's no mention of it anywhere that I could find. They should inform you of this *BEFORE* you enter all your personal data. The process fails telling you to call the 800 number after you select a user ID and password. Calling the number and entering the PIN and last 4 SSN they put you on hold for 5 minutes and then tell you the lines are full and disconnect.

My spouse and I both received letters from OPM. First thing I noticed was no middle initial in either of our names. I worked for many years in the federal government and NEVER saw official correspondence without middle initials.

I recieve a physical mail from US postal i called BBB to see if yhe number was legit and they have no record of couldnt even direct me to an official government BBB to confirm its authenticity so im tearing it up and tossing into the garbage and contacting my local LifeLock company in the morning . Please beware sounds like a scam for real

The federal government has a website that explains the data breaches that affected many millions of people.

Go to opm.gov/cybersecurity to see samples of the letter the Office of Personnel Management (OPM) is sending to people whose information was exposed.

If you are affected by the breach, OPM will provide you with free identity theft insurance and identity restoration services. OPM is also providing you with credit monitoring and identity monitoring if you choose to enroll.

Received same letter yesterday and never worked directly or indirectly for the government. Worked for A nonprofit and needed access to VA hospitals and access to a military base in my area so background check was done. It is hard to wrap my head around how my government managed to lose my personal information and is only willing to help (if I so chose and give up some rights in the process) for a few years with credit monitoring when what they have lost could be used to destroy my credit until the day I die. Even if I decide to sign up for the free service, this is only a bandade and what a bonanza for the vendor who after the government stops paying for the service (with our tax dollars by the way) to continue the coverage, we will need to pick up the tab. The government caused this problem, they should consider making it right with lifetime protection or new SS numbers. I would bet new SS numbers for all involved would be less expensive than the credit monitoring.

Why is the myidcare website failing HTTPS?

Everybody on here would probably agree this is a HORRIBLE way for the US govt to handle a security breach. Unbelievable, well not totally, but definitely sad. Beth F Cobert should be embarrassed and re-evaluate this process. Wait, here's an idea... let's instill confidence with the victims by asking them to provide the very same personal info that was hacked, and do it by directing them to a website (company) who will not be able to prevent a problem from occurring. From what I can deduct from this mess is myIDcare may, or may not, help put the pieces back together after the damage is done. It's only applicable to victims who suffer a loss over this whole mess. The way I see it is the govt is putting people at risk of being hacked yet again by putting the information out there yet again... It is odd the FTC leaves Bridget Small to deal with the mounting concerns and skeptical victims. I was speechless at first, but now I'm totally confused, frustrated, and upset. Nice work!

Thank you, my sentiments exactly.

Like many of you, I too had my suspicions. My last name had a typo error so I thought this is scam. I just came off the phone with OPM agent, where I was able to apply over the phone. The phone process took about 12 minutes. I did not use the phone number in the letter, I went straight to their website and took the number from there. There were many other things I read on their site before determining this was legit. THIS IS THE READ DEAL!!! I started signing up on the net but got to a point where they asked me for my entire SS number so I stopped. The info needed on the net is just what they needed on the phone. The instructions on the letter is safe to follow. I had to provide the agent with the pin number from it. Hope this clears up things for those unsure.

It might be the real deal, but it is scary that now the same data that was compromised in now in yet another database! And worse my wife's letter has an invalid PIN so she cannot sign up. Both mine and her's are valid letters from OPM. The 18 months also means nada since all the bad guys just need to purchase and hold on to the data until January of 2019 and proof we are left in the wind. Unless you purchase, for an extra fee, additional monitoring.

I'm convinced that the letter I received is legit. I am, however, concerned with the amount of information required to be submitted over the internet, even thought it is an https site. 'm not sure if there is a more secure method of enrolling , though.

Questions for Bridget:
How long does the free coverage last?
How much will it cost once the government stops paying?

It seems these answers should be readily available if anyone at all has any kind of plan to protect those affected. Otherwise, I'd agree that this is just a patch or band-aid to temporarily placate those affected by the government's inability to protect us.

The OPM website (opm.gov) has the most current information.

The questions & answers at opm.gov say that if you were affected by the breach of background investigation records, your identity theft insurance and identity restoration coverage began on September 1, 2015 and will end on December 31, 2018.

You'll have to ask the company that provides coverage about its costs.

Ms Small, Can you answer the other part of the question, how much will coverage cost those of us not responsible for the information leak cost us after the 31 December 2018.

No, I can't say what the cost of coverage might be in the future. That information doesn't seem to be on the OPM site (opm.gov). You'll need to ask the company what their costs will be in the future.

Thanks, Bridget.

So if you sign up for the service they are offering you also are signing away any right to sue or join class action suit. Read the terms before you agree.

I received the letter in the mail this past week that my information have been compromised probably from my husband back ground investigation. I've then received a notice taped to my door that a local OPM representative with a local phone number wanted me to call them.their name and # was hand written on an index card size with Opm emblem on it. this seems a little funny to me that someone would come to my door when I got a letter in the mail. I'm wondering if this is a hoax. Or if I should call this person. I have not noticed any other comments on this page that people have had a human come to their door and leave a notice.

OPM is not contacting people affected by the data breach in person. This is a ruse by fraudsters who are out to steal personal information or commit some other type of fraud. Please file a complaint with the FTC about this, so law enforcement can investigate.

the OPM website clicks through to another one at myidcare.com - a commercial site. Is that legit? I feel insecure putting my SSAN into it

MyIDCare is the brand name of ID Experts’ identity-monitoring product being offered to you if you were impacted by the OPM background investigation records incident. Please visit www.opm.gov/cybersecurity/faqs/ for more information.

 

I got a letter today about the breach mailed to my place of work. i never used that as an address for any application. why not send it to my home? I think this si a scam

After reading all these comments I am more confused than ever!!! I received a letter stating that "it has been determined that my SS number and other personal information was included in the intrusion". I have never worked for any Federal agency though years ago, I think I applied for an FAA position, so I am finding this hard to believe. Bridget Small-FTC, is there a brick and mortar Federal agency we can visit to verify the legitimacy of all this?

i never worked for gov. why am I getting a letter.in 2002 i worked for a trucking company,did background check for hasmat permit.

There were two breaches of OPM files. If you got a letter in December, it was probably about the second breach, a breach of background investigation records.

The OPM site (opm.gov) has questions and answers for people affected by the breach. The site says that if you had a background investigation through OPM in 2000 or afterwards (and submitted forms SF 86, SF 85, or SF 85P for a new investigation or periodic reinvestigation), it's very likely you were affected.

You might be also affected if you are a: 

  • Current or former federal government employee
  • Member of the military or veteran
  • Current or former federal contractor
  • Job candidate required to complete a background investigation before your start date
  • Spouse, co-habitant, minor child, close contact of any of the above groups (because someone might have listed you on THEIR application)

I Don't think this is legit. the letter sent to me sent a pin number. and once i went to opm.gov/cybersecurity. it requested my last 4 of my ss. once i entered it, it should have automatically populated me personal info they have on record. Had they dont that i would have known that they actually are who they say they are. instead they want more info on me. If they have been compromised, what assurance do i have this site is not really the malicious cyber intruders?
i say if (OPM)is sending me this letter and they sent a pin number and i give them my last 4 of my ss. (OPM) better be able to show me proof of what they have on file on me before i consider providing more info, instead of me filling in the blacks for them. I say beware!!!!!!!

Go to opm.gov for the most current information. OPM continues to add new information to the site.

The OPM site says that if you were affected by the breach of background investigation records, you will get a notification letter with a PIN code. The PIN will be used to check if you're eligible for the services OPM provides.

OPM did not give your personally identifiable information to ID Experts. That's to protect your information.

You give the PIN and last 4 digits of your Social Security Number to ID Experts because that's the only way it can check to see if you're eligible for services.

After you give the PIN and last 4 digits of your Social Security number, OPM uses a one-way algorithm which has to match what you tell ID Experts before you can sign up for services.

Received my letter this afternoon. Went through the 25-digit sign-up process, it completed successfully. Logged out of site.

Received a welcome email from MyIDCare.com a few minutes later that directed me to login. Clicked the link that brought me to a page saying that my device was not recognized (the same computer I created the account on) and that a passcode would be required. Passcode arrived by text message. Entered it into myIDcare Identity Verification page and press "verify passcode" A minute goes by, ywo, then an error page pops up titled "Server Error in '/SecureAuth1' Application" A section title "Object reference not set to an instance of an object" than a JavaScript stack trace. Have gone through this twice with same result.

Called the help line. Agent told me to enter pin into the passcode field. Told agent it was a 6 digit passcode not the PIN. Agent said she would transfer me to tech support, then hung up on me.

Called back again. This time an agent who was very efficient, transferred me to tech support: 20 minute wait time. Talk to tech support agent, very nice man, who tells me that there are too many people trying to access their servers and they don't have the bandwidth to handle them all.

Ask him why if Amazon can handle the all of the holiday traffic, the U.S. government and its contractors can't? He says that he's asked the same question and received no answer. He tells me that on Black Friday Amazon handled 10 million connections without an error.

I know that Amazon offers cloud services based on the same cloud services that they use to handle their transactions. I know Google and Microsoft offer similar services. So the question remains, why can't the U.S government, with the vast resources provided by our tax dollars, not do what Amazon, Google and Microsoft can? Those companies, and others, offer cloud services that would be a better use of tax dollars than the current broken myIDcare system. On those cloud systems you can even specify that the services and data remain in the United States, and at specific locations in the U.S. There really is no excuse for a smaller version of the Obama care sign-up fiasco.

I just received my letter today Dec 13 2015. In my maiden name when I worked for the post office I was and have been using my legal married name even now after a divorce. I haven't used my maiden name since 1984. I'll be taking this letter to fbi cyber crimes,and then to a lawyer for a class action case.Govt gives my info and FINGERPRINTS away.and only wants to do 3 yrs of free sercurity Get out of here.

I received the OPM letter with a PIN. However,

1. It was sent to a colleague's address, not mine.

2. It did not use my middle initial in the salutation.

3. The web site listed (opm gov/security) did not load.

4. The letter said I could call 1-800-750-3004 to "ask questions", but when I did, there was no opportunity to ask questions, only to register with my PIN. With all of these red flags, how do I know this letter is legitimate? Thank you.

Go to opm.gov for the most current information. You can also contact the Chief Privacy Officer at your workplace.

The OPM website has a lot of information for people affected by the security breaches. The site says that the government tried to locate the best addresses for people, but some letters went to old addresses or names. If you think a letter was meant for you, you can use the PIN in the letter if you want to register for identity protection and credit protection.

OPM is using this address: opm.gov/cybersecurity

Thanks. I managed to use the letter to register and it seems fine.

A small 'note' was left on my door. It was "OPM Form 1634." It asked that I contact an OPM investigator at the phone number shown. Is this legitimate and how can I confirm this?

OPM's agents will leave OPM Form 1634 at the residence of contacts. Individuals can verify the status of an OPM investigator by contacting FIS Security and Safety Team at 888-795-5673 or fissst@opm.gov.

wondering why I didn't get an email at work where the security screen all began. There is a crew of security experts onboard and we never heard a word about this from them. Certainly don't feel comfortable giving out ssn along with DOB and name. Easy to access anything with that info. I am with others with the thought that they already have all this info, so why try to extract it from us. The letter said no one would "call" looking for this info. QUOTE from letter: If you contacted by anyone asking this info, don't give it to them." Good guy, bad guy tactic? I will check at work before proceeding. Surely everyone in my office must be getting the same letter.

Go to opm.gov for the most current information.

The OPM site will answer many of your questions.

OPM is sending letters, not email, to affected individuals.

You are not required to enroll in services. You have a choice about whether to enroll in the credit monitoring and identity monitoring OPM will provide. If you choose to enroll, you do not have to provide your full SSN.

Bridget, how many have signed up so far?

I don't know how many people have enrolled in the credit monitoring and identity monitoring services OPM is providing.

Hi, Has anyone else (After signing up for services) receive emails from IDCare Experts every couple of weeks saying there is an alert on your account, only to log in and there are no alerts? Sounds suspicious or their alert services keep posting false positives! Thank you

I received a letter and signed up. As far as I can tell, the service is legit. If MyIDCare is a scam, it's incredibly elaborate and expensive. I'm impressed with their website and services so far. I'm amazed at all the paranoia, distrust, and whiners here. You think this is the only security breach that has happened or will happen? Get used to it. Just like crime in the streets, ID theft is a fact of life on the Internet. Good luck trying to sue the government.

I'm not a Federal employee but just got the now infamous OPM data breach letter a couple days ago. At first, like most people here, I thought it was a scam. Not being in the Federal Government, I had never heard of OPM and thought it stood for Other People's Money. This added to the hoax factor. Then I did a lot of reading and came to the conclusion that this really happened and this letter is real.

Why me? I narrowed it down to a seasonal job I took with the IRS 11 years ago. They did a thorough background check on me which included fingerprints. Yes, folks-our government doesn't purge their database!

We're all in a mess and it's obvious that our government needs help otherwise their database wouldn't have been breached twice. Hence, the need for a .com IT place. I also imagine that current laws protect our data so that we have to willingly give our PII to anybody else rather than the government just handing it over to anybody. So, these things I understand. What I don't understand is why ID Experts was chosen. Are they the best out there at protecting our identities or were they just the low bid contract?

My letter from OPM indicates that ID Experts is the company that will provide identity theft protection. Is this the same as IDC? I haven't signed up for anything yet because I'm still being very cautius.

Go to opm.gov for the most current information. You'll find answers to many of your questions on the site.

The OPM site says that people affected by the background investigation records breach will get services through ID Experts. The service that ID Experts gives is called MyIDCare.

Pages

Leave a Comment