You are here

OPM data breach – what should you do?

Share this page

Update (December 9, 2015): OPM discovered a second data breach that affects federal employees, contractors, and others. If you received a letter from OPM, please visit to learn more about what happened and to sign up for free identity protection services.

A data breach at the Office of Personnel Management (OPM) – and you’re a current or former federal employee whose personal information may have been exposed. What should you do? Take a deep breath. Here are the steps to take. 

First Steps

  • Check your credit report at Look for accounts or charges you don’t recognize. Even if the breach didn’t involve credit card information, thieves may use your Social Security number, address and date of birth to open accounts in your name.
  • OPM announced that it plans to offer credit report access, credit monitoring, and identity theft insurance and recovery services to potentially affected individuals. Take advantage of this offer.
  • Place a fraud alert on your credit reports. With a fraud alert, businesses must verify your identity before providing new credit. An initial fraud alert lasts 90 days but you can renew it.    

Next Steps

If your information was exposed, then OPM will send you a letter explaining what information was involved. Your next steps depend on the type of information exposed:

Social Security number

  • Consider placing a credit freeze. Why? Thieves can use your Social Security number to open new accounts. With a credit freeze, no one can open a new account in your name (until you lift the freeze).
  • Next year, try to file your taxes early – before a scammer can. Once your Social Security number is exposed, a thief can use it to get your tax refund.

Bank account, credit card, or debit card information

  • Contact your bank or credit card company to cancel your card or close your bank account. Request a new account number.
  • If you have automatic payments, update them with your new account number.
  • Review your transactions regularly to make sure no one has misused the account.

 Online login or password

  • Log into the account to change your username or password. If you can’t login, then ask to shut down the account.
  • If you use the same password elsewhere, change that too.

For updates about the breach, check OPM’s website. For more information about what to do after a data breach, and a handy checklist of steps, visit

Remember to continue checking your credit report at, in case information is misused in the future. You can order a free report from each of the three credit reporting agencies once a year.

If you discover that someone is misusing your information, you’ll need to take additional steps, including filing a complaint with the FTC. walks you through those steps – because recovering from identity theft is easier with a plan.   


Our blog post advises people affected by the breach to place a 90-day fraud alert on your credit reports. When you place a fraud alert, you are entitled to a free credit report from each of the three national credit bureaus. The confirmation letter that you receive from each credit bureau will include instructions for getting your free credit report.

Can we start a lawsuit against OPM. I would like a lawyer to comment if we can take legal action against OPM. Basically what I am reading is that I need to waste my time to monitor my credit, cancel my debit/credit cards, change all my passwords. Time is money. I am going to ask my command to allow time to make all those changes if my information has been compromised.

Ricardo, were you harmed by this? Legal action (lawsuits) are taken to recover damages. If you were financially damaged by this then maybe legal action would be appropriate. If not then, no.

Take the time to read the Privacy Act of 1974. There are legal remedies regardless of actual cash losses.

“Whenever any agency . . . fails to maintain any record concerning any individual with such accuracy, relevance, timeliness, and completeness as is necessary to assure fairness in any determination relating to the qualifications, character, rights, or opportunities of, or benefits to the individual that may be made on the basis of such record, and consequently a determination is made which is adverse to the individual [the individual may bring a civil action against the agency].” 5 U.S.C. § 552a(g)(1)(C).

There will be Class-Action Litigation. Like anoth OP stated, the time it takes to change password, close account, stress ect. as a preventive can be translated to dollars.

You only need to show damages. (On top of duty to care, exc) But placing your SS number in the hands of unscrupulous individuals IS damaging to your security regardless of if they act on it. Your security has been damaged and you cannot get that security back no matter how much monitoring they give you.

I'm told to "update" my password every 3 months-how often is the OPM security updated?? Was that why this happened? It obviously was NOT very secure.

My only federal employment was as a temporary worker on the decennial census for a few weeks in 2009 and 2010. Would my record be among those compromised?

Go to for the most current information.

On June 4, 2015, OPM's website said that the incident data may have compromised the personal information of current and former Federal employees.

OPM will start sending notifices to individuals whose information might have been compromised on June 8, 2015.  OPM will continue sending notices until June 19, 2015. They will send an email from with  information about the credit monitoring and identity theft protection services being provided to Federal employees who were affected by the data breach. If OPM doesn't have an email address for the person, it will send a standard letter by U.S. Postal Service.

We just now received a letter stating that our information was compromised back in June. Took them long enough

Just received my notice of hacking OPM called it (cyber intrusion), 11-30-15

18 months of identity theft insurance does not seem like long enough. This should be 36 months at least.

For an incident in which a given individual's sensitive PII has been compromised, why is the free identity theft protection only being offered for 18 months or 3 years (for the other 21.5 million), when that individual may plan on continuing their life with their born identity for upwards of 4 to 70 years? Shouldn't the protection last the lifetime of the affected individual? It's not like the compromised information is going to dissolve and disappear upon expiration of the free protection. It seems reasonable to assume that the compromised information will be available to identity thieves indefinitely now, does it not?

How do we know what email address OPM has on file if we are active employees? Do we get a letter if they send an email to an address that no longer exists?

I worked for the Federal government in the early 1990's. Have now been living at the same address for several years, filing tax returns showing that address etc... Will OPM have my current address it needs to send me the letter? If I don't receive a letter can I be reasonably certain that to date OPM has not discovered that my info was compromised? Thanks to anyone who can help.

I'm wondering what they will do with the knowledge of clearances and to certain people because of that they become targets


And just how exactly will I know that my information was taken? My credit report is all messed up, I haven't been able to access it because I don't know the answers to some of the questions. I have been using the credit monitoring but it is limited and inconclusive. I have already been notified by the United States Postal Service that my information was breached. Is this an entirely different breach?

Please check OPM’s website and FAQs for the latest information about the incident and services being offered to victims.

Will notifications be sent to our government email address or to personal email?

Current federal employees will be notified at their current work email. For separated/retired employees, OPM will send a letter to the last known address in the National Change of Address database.

From OPM’s FAQs:

How will OPM contact me if I no longer work for the government? What if I have changed agencies once or multiple times in recent years?

If you have left the government, OPM will send you a notification via postal mail to the last address the agency has on file. OPM will verify this address with the National Change of Address (NCOA) service before mailing a letter.

If you have moved between agencies, OPM will send an email notification to your government email account for the agency at which you are currently employed. If your email address is unavailable, notification will be sent via postal mail.

i am a former employee of the internal revenue service. i worked for the irs from 1989-2007. i also worked for veterans admininstration from 1987-1989. last month i learned that my paypal credit account/credit card had been compromised and someone tried to make an unauthorized charge on my card. fortunately it was stopped by paypal. i wonder if i am part of this huge data breach. i've NEVER had any type of trouble. i change passwords on a regular basis. this whole situation has scared the BEJESUS out of me. i immediately placed a fraud alert on the 3 major credit bureau accounts. VERY SCARY SITUATION !!!!

The latest reporting indicates that SF-86s were taken. Does the data loss include DSS/OPM investigator notes? Does it include polygraph, health (counseling) and foreign contacts? Why is OPM NOT being forthcoming in discussing specific data loss details? Do we need to file FOIA requests to request what data was compromised? The loss would also constitute a violation of 1974 Privacy Act security - OPM is required by law to notify victims of specific data compromise.

I had to call the credit monitoring agency THREE times yesterday. They can't pronounce the words in the script they are told to read to us and they certainly don't know what it means! Not user friendly at all! My account has now been locked and I have to wait 1 - 3 business days for further assistance. Completely unacceptable!!! Not only do you allow the compromise of my personal information, you are now providing substandard service that is supposed to help me.

I read nothing on the OPM, FTC or CSID sites mentioning security check info listed on federal employees applications or security check forms. What about those of us who's info was included for them to get security clearances?

This never should have happened. OPM should have done everything possible to protect our information. There are no excuses. This is ridiculous.

Does this include active duty military members?

sure does. just got a notice in the mail a few days ago. both me and the wife (who's Nation Guard)

The security breach was also concerning over 400,000 tax returns. Will those affected individuals be notified via letter? Nothing has been stated in the news or the IRS web site. Who should someone contact concerning the
IRS security breach? That also includes social security numbers, address, back accounts and more. Also, lists any information concerning dividends, etc. and more.

Is everyone affected willing to participate in legal action?

I'm with you, anybody have information yet. Three years isn't right.

OPM, how do we know we can trust you and CSID?

Our personal info SHOULD NOT BE STORED ON A SYSTEM THAT IS CONNECTED TO THE WEB by the Government or by ANY business. To do so shows a complete lack of concern for employees, taxpayers, and customers. We are FORCED to acquiesce to this complete disregard for our security if we want to a) Have a job (anywhere); b) Buy or rent a place to sleep; c) Obtain any type of health care (whether we pay ourselves, or through insurance); d) Have a telephone or any other "utility" service; e) Have a bank account; f) Pay our income and/or property taxes; g) Drive a vehicle; or h) Any of a number of other things I'm not thinking of right now. WE CANNOT PARTICIPATE IN ANY OF THESE BASIC LIFE FUNCTIONS WITHOUT "AGREEING" TO HAVE OUT PERSONAL INFORMATION POSTED ON THE WEB FOR ANYONE TO STEAL. Then, when someone steals it, the offered solution is to allow us to go to another website, and input our personal information again, so that another business can safeguard it for us? Are you kidding me???

How does this impact security clearances? Will there be any delays, forfeiture, denial?

For the most current information, go to As of June 15, 2015, the Frequently Asked Questions on don't address your question about impact on security clearances.

Why my account is not verified?

Office of Penetrated Mainframes, opm

OPM doesn't have my current address. Mail will not be forwarded from the last address they may have. Who do I call to check to see whether my data were compromised? How can I "get notice??

Go to for the most current information.

On June 18, 2015, the OPM website says that if you are an affected person and you've left the government, OPM will send you a notice by postal mail to the last address the agency has on file. OPM will verify this address with the National Change of Address (NCOA) service before mailing a letter.

I received a letter today which looks quite suspect. Refers to a different credit monitoring service ( AllClear ID) also letter was addressed to a past last name of mine.

Go to for the most current information about the breach.

The credit monitoring service and identity theft insurance OPM is offering is with CSID. If you're affected, OPM will send you information about CSID.

OPM will notify people whose information might have been compromised. They started notifying people on June 8, 2015 and will continue through June 19, 2015.  The email will come from It will have information about credit monitoring and identity theft protection services being provided to Federal employees affected by the data breach.

If OPM doesn't have an email address for a person, it will send a standard letter through the U.S. Postal Service. OPM's letter will refer to CSID

When I go to, one of the first things it asks me for is my social security number. After all of this, I am totally uncomfortable entering this online. Advice?

Go to for the most current information.

On June 18, 2015 ,the OPM website said is is using the sender “OPM CIO” and email address "“ to notify affected individuals. Make sure the link in the email takes you to, where you will need to click the “Enroll Now” button and provide your information. When you enroll, you will be required to provide personal information to begin your credit monitoring services.

If you get an email about the breach from a different address, it is spam. Do not click on any links or provide any personal information.

where was cybercommand, cant we just let them run the .gov TLD. how many other federal agencies are sitting fat waiting on their 59, pushing off that federal datacenter consolidation; time for an executive order from the top. trim the fat.

when i go on the csid website, one of the first things i'm asked for is my ssn. i'm not feeling comfortable about entering this online, too, in light of everything. please advise.

Go to for the most current information.

On June 18, 2015, the OPM website said you can get more information about CSID by going to the company’s website, (external link) or by calling toll-free 844-777-2743. If you're an international caller, call this number collect: 512-327-0705.

In general, if you want to get identity protection, you have to give a company information to prove you are who you say you are. You might have to give your social security number and other information so they can locate the accounts you want them to monitor.

OPM just sent me a letter too. Had me go to

and letter says "OPM will never ask you to confirm any personal information". They had a 25 digit pin number on the letter they sent me and only asked for my last 4 of SSN and I thought "great, with the pin # and my last 4 of SSN, the government will know who I am!" ... and then it takes me to a different website and then THEY ask for my entire SSN!!!

I received an email purporting to be from, instructing me to go to a specific website and enter personal information in order to sign up for the ID theft / security monitoring. The phone numbers that were listed in the email -- the ones I supposedly should call if I had questions -- were different from the ones I've seen online on governmental websites. For example, this website and others have csid's phone number listed as 844-222-2743, but the phone number listed in the email I received was 844-777-2743. That's a different number. Also, international callers were directed in the email to call 512-327-0705, but the official ( websites indicate that it should be 512-327-0700. Frankly, I am terrified that I might not be able to identify fraudulent phishing scams based on this security breach! What a mess.

I work at a VA; we have an employee who will be clearing the facility 06/19. If current employees are being notified at their work email address, she very well may be gone before an email is sent to her. From what I understand, CSID is not sending out letters if they notify individuals by email. In this case, they may miss her but not realize it. Any suggestions for her?

Go to for the most current information.

On June 18, 2015, the OPM website said that if you've left the government, OPM will send you a notification via postal mail to the last address the agency has on file. OPM will verify this address with the National Change of Address (NCOA) service before mailing a letter.

If you moved between agencies, OPM will send an email notification to your government email account at the agency you work in now. If your email address isn't available, OPM will notify you by via postal mail.

is the letter from CSID (Secure Processing Center) legitimate? Enrolling in the complimentary subscription to 'CSID Protector Plus' requires you enter SS# and personal info.


Leave a Comment