You are here

OPM data breach – what should you do?

Share this page

Update (December 9, 2015): OPM discovered a second data breach that affects federal employees, contractors, and others. If you received a letter from OPM, please visit opm.gov/cybersecurity to learn more about what happened and to sign up for free identity protection services.

A data breach at the Office of Personnel Management (OPM) – and you’re a current or former federal employee whose personal information may have been exposed. What should you do? Take a deep breath. Here are the steps to take. 

First Steps

  • Check your credit report at annualcreditreport.com. Look for accounts or charges you don’t recognize. Even if the breach didn’t involve credit card information, thieves may use your Social Security number, address and date of birth to open accounts in your name.
  • OPM announced that it plans to offer credit report access, credit monitoring, and identity theft insurance and recovery services to potentially affected individuals. Take advantage of this offer.
  • Place a fraud alert on your credit reports. With a fraud alert, businesses must verify your identity before providing new credit. An initial fraud alert lasts 90 days but you can renew it.    

Next Steps

If your information was exposed, then OPM will send you a letter explaining what information was involved. Your next steps depend on the type of information exposed:

Social Security number

  • Consider placing a credit freeze. Why? Thieves can use your Social Security number to open new accounts. With a credit freeze, no one can open a new account in your name (until you lift the freeze).
  • Next year, try to file your taxes early – before a scammer can. Once your Social Security number is exposed, a thief can use it to get your tax refund.

Bank account, credit card, or debit card information

  • Contact your bank or credit card company to cancel your card or close your bank account. Request a new account number.
  • If you have automatic payments, update them with your new account number.
  • Review your transactions regularly to make sure no one has misused the account.

 Online login or password

  • Log into the account to change your username or password. If you can’t login, then ask to shut down the account.
  • If you use the same password elsewhere, change that too.

For updates about the breach, check OPM’s website. For more information about what to do after a data breach, and a handy checklist of steps, visit Identitytheft.gov/databreach.

Remember to continue checking your credit report at annualcreditreport.com, in case information is misused in the future. You can order a free report from each of the three credit reporting agencies once a year.

If you discover that someone is misusing your information, you’ll need to take additional steps, including filing a complaint with the FTC. IdentityTheft.gov walks you through those steps – because recovering from identity theft is easier with a plan.   

Comments

Go to opm.gov for the most current information.

On June 18, 2015, the OPM website said that OPM is offering  credit monitoring services and identity theft insurance to people who were affected. OPM offers those services through CSID. People who are affected can get access to their credit reports,  credit monitoring, identity theft insurance, and recovery services for free for 18 months.

In general, if you want to get identity protection, you have to give a company information to prove you are who you say you are. For example, you might have to tell your social security number and other information so the company can locate the accounts you want them to monitor.

OPM said you can get more information at the company’s website, (external link) or by calling toll-free 844-777-2743. If you're calling from outside the U.S., call this number collect: 512-327-0705.

What effect does this have on SEEs (who are non-Federal employees)?

Go to opm.gov for the most current information.

On June 18, 2015, the OPM website said people in several groups might be affected. People might be affected if they work, or used to work, for a Federal agency for which OPM maintains the personnel records. They might also be affected if they worked for a Federal agency or organization that sent records to OPM to support their future retirement processing.

I just want to warn those of you considering placing a "freeze" or "fraud alert" as suggested - placing a fraud alert or freeze on your credit causes its own issues. I have had to do this in the past because of identity theft and then I myself was unable to get credit because of the credit freeze. Because I had moved in the last year they couldn't verify my identity and I was unable to open any new accounts. It took months to clear up.

A credit freeze lets you restrict access to your credit report, which makes it harder for identity thieves to open new accounts in your name. A freeze remains in place until you ask the credit reporting company to temporarily lift it or remove it altogether.

If you place a freeze, be ready to take a few extra steps the next time you apply for a new credit card or cell phone – or any service that requires a credit check.

Our Credit Freeze FAQs have more information.

Our PII is forever, but the response coverage expires in 18 monthns.

I've worked for the Federal Gov't either as a DoD Civilian employee or contractor for over 20 years. Bearing that in mind you should be able to guess how many SF 86's and EPSQ's I've had to complete for my background investigations/PR's. To say that if background information was compromised may not be important is absolutely ludicrous !! Those forms contain ALL of our financial information (bank accounts, credit cards, mortgages, etc) family names/addresses, and so on. Basically, our entire lives. When considering all of the information we are required to provide the Federal Gov't for our clearances, if that information is being "sold" by the hackers to criminal elements or groups like ISIS, they have in essence potentially placed military personnel, civilian government employees and contractors at risk for being targets. In my opinion this is something that is and should be considered very serious. I know I plan to notify my family members to be watchful of anyone or anything that may be out of the ordinary. This is more than just the possibility of a threat of identity threat. The idea that this happened a few months ago and we are just now learning of this is deplorable and irresponsible. How many people has already experience possible identity theft or fraud that could have prevented it at least 2 months ago had this information been made public?

What address will they be using? The most recent on file with the federal government, VA or SSA or HHS, or our most recent address when we were employed? Let me guess: We don't know.

Go to opm.gov for the most current information.

On June 22, 2015, the OPM website said if a person was affected by the breach announced on June 4, and that person has left the government, OPM will send a notification by postal mail to the last address the agency has on file. OPM will verify this address with the National Change of Address (NCOA) service before mailing a letter.

If an identity thief causes harm to my finances, I believe OPM will be required to reimburse me. This entire situation is due to the fact that OPM ignored their inspectors complaints that their IT systems were antiquated and not effective against this type of cyber attack.

Outside of the normal information, would CSID ask for my bank account information, credit and debit card information, DL # and medical information when I register? Several other employees got an email and link that asked for that information.

Go to opm.gov for the most current information.

On June 22, the OPM website said you can contact your agency’s privacy officer if you want to check on the email you received. OPM said it gave government privacy officers information to help privacy officers validate the emails for you.

OPM said that if you are affected, you could get an email from sender “OPM CIO” from this address: opmcio@csid.com. A valid email will have a link in the body of the email that takes you to www.csid.com/opm (external link), where you can click the “Enroll Now” button and provide your information. If you enroll, you have to give personal information to start the credit monitoring service.



If you get an email about the breach from a different address, it may be phishing.  Phishing happens when a scammer pretends to be a business to trick you into giving out personal information. Do not click on any links or provide any personal information if you suspect an email is phishing.

CSID contacted me and I followed all the instructions to set up the account. However, my wife was not provided an account and ALL of her info (SSAN, etc) was included on original application for job, clearance and retirement money etc!!! Why is she not being contacted? Or is this coming later in what has now been expanded to 18 million hacked?

Go to opm.gov for the most current information.

On June 23, 2015, the OPM website said that at this time, it has no evidence to suggest that family members of employees were affected by the breach of personnel data. OPM also said that if other exposure are found, OPM will conduct additional notifications as necessary.

Open note to all USG employees, please push hard for USG-provided credit monitoring for life to address this and likely future breaches.

Prior to retiring, I was advised and did download my entire electronic OPM file. During my employment I was required to provide and did provide the SSN of my wife. Her SSN is clearly shown in my electronic OPM file. Will she too have the protection from CSID as being offered to me?

Go to opm.gov for the most current information.

As of June 24, 2015, the OPM website says it has no evidence that family members were affected by the breach, but if they learn family members information was exposed, it will send more notices. You can read more about how retirees might be affected on the OPM site.

I received the letter from OPM that my personal information has been compromised. My spouse works for NIH. The PIN number I was provided was invalid!How can that possibly happen? Was my letter hacked? Does someone have access to even more of my information? Has someone registered under my name and have access to my account with the cyber security company. In short, you've got to be kidding!

Another frustrated spouse here, hubby works for NPS, my PIN is also invalid. The incompetence is astounding!

I was a DOE contractor but left many years ago. I'm pretty sure they didn't have my contact info. I called the 844 number to see if my info was compromised and it was. I got the PIN etc, but just FYI don't count on the OPM to know how to get in touch with you. Also CSID has no idea how to update OPM with your current info

"On June 22, 2015, the OPM website said if a person was affected by the breach announced on June 4, and that person has left the government, OPM will send a notification by postal mail to the last address the agency has on file."

1. I retired at the beginning of 2015. Why did I receive an e-mail instead of a physical letter?

2. One of my family members is STILL a Federal Employee; why wouldn't THEY have received an e-mail yet?

3. I called CSID to ask a list of questions to get clarification AND to register over the phone instead of entering PII online, hopefully to pick their brain about the safety of doing ANY financial transactions online at all. Called at 6:00am Central and after waiting about an hour, got a phone rep who had been working there for ONE WEEK. He knew absolutely nothing about IT or online computing security. The one piece of information he did give me was that the million $ policy goes into action whether we register or not (which is in the information on OPM.gov already). He did not seem to be leaning toward letting me sign up over the phone (and if he has been working there one week, what kind of security background check could HE possibly have been subjected to??!!!!) Once I realized that he was a temp hire with probably a lifetime of job security and absolutely zero knowledge about computing security, I bailed on the call to think all of this over. 4. WT* is wrong with THIS picture?! OPM - Information About the Recent Cybersecurity Incidents Updated June 23, 2015 Precautions to Help You Avoid Becoming a Victim *Do not send sensitive information over the Internet BEFORE CHECKING a website’s security (for more information, see Protecting Your Privacy. (external link)

That link leads to a DHS/US-CERT "Security Tip" page with a PROMINENT note that SPECIFICALLY states,"To protect your identity and prevent an attacker from easily accessing additional information about you, AVOID providing certain personal information such as your birth date and social security number online." "Before checking" does NOT equal "AVOID"! The CSID/OPM https connection to csid is "encrypted with modern cryptography."

STILL, the instructions to enter our SSN and whatever other PII online that is required to register is in direct conflict to the note from the DHS/US-CERT note about Protecting Your Privacy and just flat out defies common sense and a really bad gut feeling. Even if the CSID connection IS 100% secure (probably no such thing), retirees without the ability to signup over a presumably secure "at work" government PC" either wired or via VPN don't have a clue what kind of trojans, keyloggers, whatever nasty malware is out there now is lurking on their computer and OS of choice. I know CSID can't field 4 million registrations over the phone, but there should be a better way to enroll than voluntarily handing out very detailed PII over the Internet. It has already been handed out to God knows who. And doesn't it stand to reason that dedicated cyberthieves looking for the big payday are working 24/7 to find new ways to harvest PII submitted online?

5. I know attorneys and any public spokespersons for any Federal agency have to be extremely careful about statements they make, but the pat answer of, "Go to opm.gov for the most current information.Go to opm.gov for the most current information." "You can read more about how retirees might be affected on the OPM site." just brings up visions of Martin Short as the chain smoking attorney in the old skits on SNL. Sorry Bridget, I know you are following protocol and I am sure your workload is overwhelming; I had to do the same at my agency, every year since 2008 with fewer resources and more demands, but it just makes me sad, frustrated and frankly, scared.

While I have been caught up in this fiasco along with the other millions of current and retired federal employees, I have a question for which I can’t seem to locate the answer.
We are encouraged to place a ‘Fraud Alert’ with one of the credit bureaus who will then communicate it to the other two. OK…in my reading I see that this ‘Alert’ is good for 90 days but can be extended, at no cost, for a period of 7 years. However in looking at the Trans Union and Equifax websites to effect this extended alert not only must one request the extension from each credit bureau, but also provide a copy of the identity theft report (Trans Union) or a copy of a law enforcement agency report (Equifax). Everyone knows the data has been breached and out there, OPM is the ‘company’ that committed the breach, etc.
I guess my question is this, Is the expectation that we wait until something does happen in an untoward fashion with our compromised data or take a proactive approach and generate an Identity Theft Report now, take it to the local police department get it registered and request the extended fraud alert protection. Updating the two documents when and if we get gutted by the thieves?
A corollary question comes to mind….Is there a limit to the number of times an extended fraud alert can be requested? Thank you, FedFrigged345

If you get a notice that your information was exposed in a data breach, you can take steps to protect yourself. Read more at identitytheft.gov.

When you know your information has been exposed, you can place a fraud alert. That makes it harder for someone to open new accounts with your information. You can renew a fraud alert indefinitely.

Or, you could get a similar amount of protection by placing a credit or security freeze on your credit report. Whether you get a "credit freeze" or "security freeze" depends on what's available in your state. To get a freeze, you have to contact each of the three credit reporting companies individually, and pay a fee.  The freeze is permanent, unless you lift it. You can lift it temporarily or permanently. 

A 7-year or extended fraud alert applies to identity theft victims. To place an extended fraud alert, an identity theft victim must have an identity theft report, or something similar. A victim can place a 7-year extended fraud alert and doesn’t have to renew it every 90 days.  When a victim places an extended fraud alert, she gets additional free copies of her credit report.

You said "You can renew a fraud alert indefinitely." That would be good because OPM gave away my information forever, the risks that OPM created last indefinitely. Are fraud alert renewals something that I will have to pay a credit reporting service for indefinitely?

Identitytheft.gov explains what to do if you're an identity theft victim who knows your information has been misused.

Identity theft victims can get extended fraud alerts by contacting the three credit reporting companies and providing copies of the Identity Theft Report they created about the theft. It's free to place and remove an extended fraud alert for identity theft victims.

There is different information for people who got a notice that information was exposed in a data breach, aren't identity theft victims. This page for tips on what to do.

This article explains the differences between a fraud alert and a credit freeze, and who can get them.

 

Does this data breech impact gov't contractors as well?

Go to opm.gov for the most current information.

OPM said the breach announced on June 4 did affect current and former Department of Defense civilian employees, but didn't affect contractors, unless they previously held Federal civilian positions.

There are millions of us (18 million as cited by the AFGE lawsuit that have never been contacted by OPM or CSID. Opm director, office of cio, and inspector general all say call csid. After calling for 4 days and waitng 6 hours on phone, csid said they can't enroll me .. but they will sell me credit protection. I know I am in the affected groups due to prior government service and other related information. FTC please help us.

Go to opm.gov for the most current information.

If you were affected by the incident announced on June 4, you would have gotten an email or paper mail notice from OPM within a few days after June 19.

The OPM website says that if you didn't get an email or paper mail notice, CSID can tell you if you're eligible to enroll. You say CSID already told you you aren't eligible to enroll.

If you want to protect your credit reports, you could get a credit freeze. A credit freeze stops anyone from getting access to your credit reports, unless you lift the freeze or remove it. Go to identitytheft.gov to read more about identity protection steps to take.

Was looking at signing up for CSID - a privately held corporation. Their privacy policy is clear particularly when they say
"In addition, in the event of a merger, acquisition, or any form of sale of some or all of our assets to a third party, we may also disclose your personal information to the third parties concerned or their professional advisors. In the event of such a transaction, the personal information held by CSID will be among the assets transferred to the buyer."
So the take away is - don't hack OPM, just buy the data (assets)from CSID.

I worked at a VA Hospital for 10 years as a volunteer, becoming an unpaid government employee, and this is the thanks I get? From here on out, it looks like their usual "every man/ woman for themselves". Stop paying t axes!

I have looked at the OPM website - no info on employment date ranges affected. Does FTC (or anyone else) know if there are employment dates NOT affected? I was a government employee from 1975-77. My agency in the 70s made a lot of use of computer data, for what it's worth. Can I assume I'm safe, or did some agencies input employee info from that far back?
I was also an independent contractor from the mid 1990s until about 2007. Should I assume that information was compromised? I haven't received a USPS notification.

OPM issued a press release on Thursday, July 9, 2015. In it, OPM stated that “in the coming weeks, a call center will be opened to respond to questions and provide more information. In the interim, individuals are encouraged to visit https://www.opm.gov/cybersecurity. Individuals will not be able to receive personalized information until notifications begin and the call center is opened. OPM recognizes that it is important to be able to provide individual assistance to those that reach out with questions, and will work with its partners to establish this call center as quickly as possible.”

Thank you!

So, I just received an ALERT from CSID. When I called I was asked to provide my ss#, DOB, and address. I provided all, and am now wondering if that was a mistake..? Should/Would CSID be asking for this information when a Federal Employee calls in?

Go to opm.gov for the most current information.

If your information was affected by the data breach announced in June, you should have already received a notification from OPM.

If you got a notice in June and enrolled in credit monitoring and other services with CSID, you can call CSID with questions about the services. Please call CSID at 844-777-2743.

Can someone in DFAS assure us that our bank information is secure? I feel the next hack is DFAS and we will be really screwed.

I am USPS rural carrier. I am a contractor, but the usps makes ne have the same clearance as employees to carrier mail. I didnt get a notice, although the usps has my cakgroung, fingerprints, drugtests results, and all personal date including bank account info. I never received anything from opm. Am I just SOL?

You can get the latest details at opm.gov.

OPM has announced two different breaches. In June, OPM announced a breach of personnel information. OPM says contractors weren't affected by the personnel information breach.

Later, OPM announced a background check breach, and said some contrators might be affected. OPM will send notices to people affected by the background check breach, but as of August 10, 2015, it hasn't sent any notices.

I just enrolled for CSID, entered my information and created a username and password. It said the account was created successfully and then it asked me to log in using that username and password. I clearly had not forgotten it in the time I entered it and verified it, yet when I put in the information, it said the login was invalid. I thought maybe I just miss hit a key so I re-entered my username and password which locked my account. There is no help button to request my account be unlocked. How does it get unlocked? Time? Help desk?

The OPM website at opm.gov has information, and a series of questions and answers to help people. OPM.gov lists this number for CSID’s call center: 844-777-2743.

I work for a national laboratory. The best insult to injury here has been a series of meetings that you are "invited to attend" to learn about this and what you can do to mitigate damages...AT YOUR OWN EXPENSE! Either I pay for my time to attend, or I have to ask my manager to pay for my time. The OPM/DOE don't think they need to pay for my time for their own error. Obviously, if I do NOT go, they will retaliate that I must not have cared enough to attend... seriously!

Have the notification letters and/or credit monitoring e-mails begun to be sent to those 19.5+ million or so affected by the SECOND (background information check files) data breach at OPM?

Go to OPM.gov for the most current information. OPM regularly updates information about response to the breaches.

As of today, OPM has not started sending notices about the second breach that included background check informatioin.

Interesting that when I tried to obtain my protection from ID Experts, the system apparently is not recognizing the PIN that was mailed to me. This was from the person who answered the phone because the system gave me a "your personal information is not recognized response." I waited 10 minutes on hold and he came back to say they are overwhelmed with calls (not enough people to handle the call volume) because the system is not recognizing some of the PINs that were recently mailed out. If this isn't government at its typical worst, I am unsure what is but I'm very sure this is another government kerfuffle from incompetent public agencies.

I'm a retired USAF Veteran and my husband had to get a security clearance for a job he left about 10 years ago. When this information was no longer relevant to our continued employment, why was it not destroyed?

Apparently the breach includes any civilian DoD background investigations done after 2000.

This is a huge national security risk. I can't believe the news has been silent on this angle. Think of all the people with clearances who's personal SF-86 info could now be used to blackmail them. It's not a stretch to think people working overseas could be kidnapped and tortured for info. Then again, if someone wants sensitive info about our government programs, they could probably just get it over the web, LOL.

Just got my notice in the mail and when trying to use the PIN that was *just* provided I receive notice that the PIN is invalid. Good job guys, probably the same attention to detail that led to getting hacked in the first place.

NotMyUserName, I have the same problem. They told me to "watch" on the OPM Facts site which will eventually tell me how to proceed..."it should be soon". So it's on me to "watch". O'Bama Care on a smaller scale (hopefully). Think we need to let FOX News, NBC, etc. know the issues we are having to identify how big a problem this is and maybe get some help. They certainly don't care.

Pages

Leave a Comment