You are here

OPM data breach – what should you do?

Share this page

Update (December 9, 2015): OPM discovered a second data breach that affects federal employees, contractors, and others. If you received a letter from OPM, please visit opm.gov/cybersecurity to learn more about what happened and to sign up for free identity protection services.

A data breach at the Office of Personnel Management (OPM) – and you’re a current or former federal employee whose personal information may have been exposed. What should you do? Take a deep breath. Here are the steps to take. 

First Steps

  • Check your credit report at annualcreditreport.com. Look for accounts or charges you don’t recognize. Even if the breach didn’t involve credit card information, thieves may use your Social Security number, address and date of birth to open accounts in your name.
  • OPM announced that it plans to offer credit report access, credit monitoring, and identity theft insurance and recovery services to potentially affected individuals. Take advantage of this offer.
  • Place a fraud alert on your credit reports. With a fraud alert, businesses must verify your identity before providing new credit. An initial fraud alert lasts 90 days but you can renew it.    

Next Steps

If your information was exposed, then OPM will send you a letter explaining what information was involved. Your next steps depend on the type of information exposed:

Social Security number

  • Consider placing a credit freeze. Why? Thieves can use your Social Security number to open new accounts. With a credit freeze, no one can open a new account in your name (until you lift the freeze).
  • Next year, try to file your taxes early – before a scammer can. Once your Social Security number is exposed, a thief can use it to get your tax refund.

Bank account, credit card, or debit card information

  • Contact your bank or credit card company to cancel your card or close your bank account. Request a new account number.
  • If you have automatic payments, update them with your new account number.
  • Review your transactions regularly to make sure no one has misused the account.

 Online login or password

  • Log into the account to change your username or password. If you can’t login, then ask to shut down the account.
  • If you use the same password elsewhere, change that too.

For updates about the breach, check OPM’s website. For more information about what to do after a data breach, and a handy checklist of steps, visit Identitytheft.gov/databreach.

Remember to continue checking your credit report at annualcreditreport.com, in case information is misused in the future. You can order a free report from each of the three credit reporting agencies once a year.

If you discover that someone is misusing your information, you’ll need to take additional steps, including filing a complaint with the FTC. IdentityTheft.gov walks you through those steps – because recovering from identity theft is easier with a plan.   

Comments

An OPM letter arrived for my wife but not me, yet I'm the one with the high level security clearance. When I tried to enroll her it got her information mixed with mine and resulted in a botched application and an invalid PIN. So now both she and I are stuck with a confirmed breach of our data and no way to complete the ID Experts Identity Theft Insurance application. WHAT DO WE DO NOW???

Go to opm.gov for the most current information.

As of 10/21/15, OPM says that if saying your information was affected in the breach of background checks, you're automatically covered by identity theft insurance and identity restoration services. You need the PIN in the OPM letter to sign up for additional services.

If you get a notification letter, it should include a PIN. You can try using that to register. OPM posted questions and answers for people affected by the breach. It includes information for people who don't have a PIN, or who lost their pin.

FYI it looks like you recieved 5x PINs on one letter, but all five boxes are actually one complete PIN. I initially made that mistake when first trying to hastily log on.

I have used the 5x PIIN number OPM sent, both with and without dashes. The ID Experts site still does not allow you to register. It would be nice if at least a POC was provided with your failure message.

I also tried to create an account several times using the supplied PIN, however I get an "Invalid PIN" alert. When I contacted OPM they said several people were having the same problem. The fix is to either set it up over the phone (and provide all personal information) or keep checking the OPM website for additional information. I am not comfortable with giving my personal info over the phone, as they already demonstrated their inability to protect information. Has anyone else had this problem and got it sorted out? I don't see any information on the OPM website on what to do if the PIN they supplied is incorrect.

After six months, OPM finally sent me a 25 digit PIN and notified me that my information was compromised. After 40 years of service, the amount of information on the SF-86 and associated forms becomes astronomical, not just on myself but on three generations of my family. Yet all I can see is a profiteering enterprise that wants to put cookies on my machine, be able to "share" my data even further, and agree to an "arbitration clause". Even worse, this firm refuses to identify themselves, and after talking to three levels of "supervisors" repeatedly contradicted to each other. When does somebody finally take this seriously? What are our Senators, Congressmen, and Presidential candidates saying?

All my info and information has been hacked by a foreign entity. We were sent a letter by opm saying our name and personal info has been compromised. We need help

You can use the information in the letter OPM sent you and go to the OPM website at opm.gov for more information.

We had the same problem..."Invalid PIN"-tried the automated phone system-"Invalid PIN"-waited on line and spoke with a rep (???)-he read a long list of questions I would have to answer-a TON of personal info.-he tried the # on my letter-same message "Invalid PIN"- he then said I would need to speak with someone else & placed me on hold. I hadn't planned to give all of the info. -just wanted to hear what they would say-ended up hanging up! Very frustrating & fishy! Will try online in a few days. UGH!

If you have a freeze on your credit files, you have to unfreeze them for a week just to sign up for part of the service. Not sure if that's advisable since most of us have already had our PII breached before this one. Question: do we have to leave the credit files unfrozen for three years to get the credit monitoring service from ID Experts? I assume so but have not confirmed.

really??? i had my credit files frozen. but nobody "warned" me that the my credit files need to be unfrozen. how did you discover this solution?

I just got my letter and made an account but its asking for my ss# ummm im not comfortable with that

i also have an INVALID PIN error message when i tried to do it online. the online rep response was "yeh the government knows about it and check the website for further guidance in the future." oh yes, rely on the government to help. OH PLEASE..

Is this legitimate. I followed instructions to enroll, entered the code,when I tried to re-enter, I got "invalid Pin" I called the 800 number,agent placed me on hold, transferred me.. Then next agent said the reason I cannot use my pin code is because I already have credit freeze with the 3 credit bureaus. What worries me is that csid now has my personal info, and I cannot login to verify what is going on. Who in the government should I contact. Is this OPM thing another scam?

Go to opm.gov to read about the information breaches.

Did you put the credit freeze on your account?

If you did, you're protected by the credit freeze. You can limit who gets access to your credit report. When you have a credit freeze, it's harder for an identity thief to open new accounts in your name.

If you don't want a company to have your information, contact them and ask them to remove your information from their files.

Just received my notification "letter" today, as did my wife -- by virtue of her marital connection" to me. As a citizen of another country with extremely strong privacy protection laws, she was NOT amused.

OPM spared "no (taxpayer) expense" with its form notification letters! / sarc /

Not bad: July 9, 2015 - Nov 07, 2015 ... for a form letter X 20 million. / sarc /

I will echo the previous posters: where is Congress, where is the MSM and where is our "feckless leader" in all of this ...?

It's WAY past for an Independent Special Prosecutor to investigate and this, boys and girls -- no FBI, no US DHS and no US DOJ ... arrests must be made at OPM, people at OPM must lose their jobs and retirements.

But they WON'T!

Applied for a credit card and was denied due to unable to verify ssn then the letter came in the mail that my information was compromised, figures

Had the same issue with the "invalid pin" received letter on Friday attempted to enter response "invalid pin". Then called number in letter, worthless" they tried same response told to wait 24 hours if still responds invalid call back Monday. Problem remained the same on Monday. Called Monday first person attempted still invalid., transferred to a supervisor. The supervisor then transfer me to a tech. I was on hold for 45 minutes for nothing because after the tech attempted he stated quite a few people are having similar problems. he then told me check the website in a few weeks for an update. I asked will I receive another notice he stated no "it was up to me to check for the update" How much is the Government or TAX DOLLARS is paying ID Experts to have them waste our time and money????

I received a letter saying my information was part of the theft, however, I am not a current or former government employee. Is is possible I received this because my husband is active duty military with a security clearance?

Go to opm.gov for the most current information.

As of 11/12/15, the OPM site says that if you got a notification letter and PIN code from OPM, it's because OPM determined that your Social Security Number and other personal information was stolen when criminals stole background investigation records.

You can use the OPM site to sign up for identity protection services and learn more about the breach.

I neither worked for the government nor have I signed any non-disclosure forms. My information was not guarded by OPM after I filled out a background form for top secret clearance for my ex-husband years ago. Now I receive a letter saying my Social Security Number. is in the hands of hackers because OPM didn't safeguard it. I want monetary compensation as well as lifetime monitoring or a new Social Security Number.

I got a notice from the United states office of personnel management opm is this letter legit ?

Go to opm.gov for the most current information.

The OPM site has examples of the letters it sent. Look at Actions you can take now on this opm page.

I received the version of the letter that says my fingerprints have been compromised, however I don't think my fingerprints have EVER been taken. So how is that possible.

I receied the letter notifying me of the breach and to sign up with my pin, but what is my pin? I have 5 sets of numbers with an alphabetical character above it and I have tried them all together and seperate, but none of them work. Please explain what is the correct pin?

the correct pin will be the entire 25 digit pin. Separately they will definitely not work. If you are to enroll on a work computer, the pin will not validate(probably a security related problem...not entirely sure); if you have a credit freeze it will not work; if you have tried the pin too many times the system will lock you out and you may not be able to use your pin at all. It's very hairy, and there isn't really a way to know any of this without to someone over the phone and asking the right questions.

The recommendations are to request a credit freeze. Yet a credit freeze on one's accounts means that an individual cannot set up an account with ID Experts (in contrast to CSID). This seems illogical. Why would OPM contract with a company that can only set up an account if the a credit freeze is lifted (i.e., force victims to become even more vulnerable)?

You are able to lift  - and replace - a credit freeze. The cost to place and lift a freeze, and how long the freeze lasts, depend on state law. This FTC article tells more about how credit freezes work.

If you choose to place a credit freeze, it may not stop misuse of your existing accounts or other types of identity theft. The  companies you do business with would still have access to your credit report for some purposes.

Is it safe to give "MyIDCare" my soc. sec. no.? This is the company that OPM's website tells me to connect to.

The OPM website tells how to sign up for identity monitoring and credit monitoring services if you want those services. The OPM website has a link to My ID Care, which is providing the services.

How do I know terrorists will not use my information for fake passports?

What should the return address be on the letter we receive? Cannot find anything about this on their website and I want to make sure the one I got in the mail is legitimate.

The OPM website (opm.gov) shows samples of the letters they sent to people affected by the breaches. View the letters on this page on opm.gov under Actions You Can Take Now.

It shows samples, but does not say what the return address on the letters should be.

So I'm supposed to enter in all my information that was compromised AGAIN when I sign up for OPM? LOL I don't think so.

My question, as well? What do I need to do to protect my passport information? Will they reissue a passport with a new number or is it like the SS# that you can never change it even for protection? Does OPM notify the other agencies/depts. of each person's compromised information in this matter, ie IRS, SS, and State? If so, will it raise flags each time I have transactions, such as filing my taxes, traveling, etc.?

Just wanted to follow up on the passport thing. You can report it lost or stolen in this case, not compromised, at no cost. Then, for $135 total, you can get it replaced in 5 weeks time after going through the entire process the same as when you first applied for the passport. So, add that to changing all of your account/credit card numbers; re-setting up all of your auto pays, withdrawals, and deposits; placing credit freezes on your accounts, which cost you each time you lift them for credit approvals; and placing a fraud alert each 90 days, because this is not considered Identity Theft; and lastly, changing all of your passwords and user ID's. Remember, this is not considered Identity Theft in their eyes. Don't forget that if you included foreign citizen information for relatives on your clearance, their passport or visa information was compromised, also, but they are not included under the CSID coverage.

There are important differences between a fraud alert and a credit freeze. Read about the differences and then decide which one is best for your situation.

A fraud alert protect your credit from unverified access for at least 90 days. You could place a fraud alert on your file if your wallet, Social Security card, or other personal, financial or account information are lost or stolen. If you place a fraud alert a creditor can still get a copy of your credit report as long it takes steps to verify your identity. Fraud alerts may be effective at stopping someone from opening new credit accounts in your name, but they may not prevent the misuse of your existing accounts

If you place a fraud alert and later find out that your information was actually misused - meaning you are an identity theft victim - you can place an extended fraud alert that lasts 7 years.

A credit freeze stops all access to your account, unless you lift or remove it. A freeze makes it more difficult for identity thieves to open new accounts in your name. If you have an active credit freeze, a creditor can't get a copy of your credit report.

I also received a letter saying my information was compromised. I was told my ss number, address, banking info and finger prints have been compromised. What a major screw up this is! All this risk because I worked for post office part time for less than a year. I absolutely agree that this situation has resulted in undetermined level of risk that will ride with us for the remainder of our lives. And for this gross level of incompetence we are offered credit watch for 18 months. Talk about feeling like a victim.

The ID Experts OPM.gov sends you to, they ask for your social security number. Is it safe to give it to them? I did, but now I am worried this whole thing was a scam. The IDExperts web page looks legit though. I truly despise the Obama administration with a deep passion now. I did not think my anger for them could get deeper. Why are we getting only 3 years of cyber protection by the way? Shouldnt it be for life? Who got fired over this? Bush sent us $600 checks in the mail. Remember that? Obama sends us identity theft.

We all need to be protected for life. Alerts on credit records are inadequate.

How about placing alerts on the ***Social Security records*** and issuing new SSNs to those whose information was stolen? Wouldn't that be cheaper than paying for the 3 years of credit monitoring?

Three years of monitoring won't help much anyway! Do you really think that the ones who stole the information won't know precisely when the monitoring ends? They'll just sit on their treasure trove until it's easier to use in three years!

I received the letter from US OPM indicating that my SSN, fingerprints and other personal information was compromised in the cyber intrusion. I followed the instructions in the letter exactly and I got a message back that "I couldn't be authenticated". I have since tried several more time and I am getting the message that the Pin Number is invalid.

I have called the number provided in the letter. I keep getting put on hold for huge amounts of time and then being told that I have to leave my name and number and someone will call back. No one ever call back. The people on the phone are extremely unthelpful, rude, and inept.

It is crazy what a person in this situation has to go through to try and get signed up for credit and identify monitoring services.

My OPM letter was sent to my maiden name which I haven't used in over 30 years. I did a short stint with the Census Bureau about 10 years ago, long after I was married. Why is the breach showing up under my maiden name? I can only ask questions after registering my PIN. There is no way to ask questions first. I'd like an answer before I attempt to enroll and make myself more vulnerable by giving away more of my private information.

You'll find an answer to your question on the OPM website, opm.gov.

For example, the site says that some letters were mailed with old addresses or names. If you believe the letter is meant for you, you may register using the Personal Identification Number (PIN) and the last four digits of your Social Security Number at www.opm.gov/cybersecurity.

I have never worked for the federal government in my life and I'm 44 years old. How am I included in this?

I agree Mary. Same here. Never worked for the govt and I'm 45 years old. How did my info get compromised?

So not only did the OPM get breached and our personal information stolen, then they reached out to to a 3rd party commercial entity and gave them our SSN and personal information to establish an account on our behalf for 18 months. I didn't agree to have ID Experts receive my personal information. Who is handling the class action lawsuit against OPM? I want in.

This is a 2-part question: 1) I went to apply for the protections from MyIDCare and the application required all of my personal info, including SS#, date of birth, address, etc. Naturally, I am reticent to fill this info out online. Is this legitimate?

2) The notice from OPM uses my married name. I have been using my birth name for many years, including with the IRS and employers, no problem. However, I never changed my name legally back to my birth name with the SSA. If the application process I described above is legit, should I use my birth name that I have been commonly using for years or the name the SSA has in file?

Go to opm.gov for the most current information.

If you want to enroll in identity monitoring and credit monitoring services, you could follow the link from the OPM site. It takes you directly to the service OPM is providing.

You may be able to get information about your name change from the service provider, SSA or the Chief Privacy Officer at your agency.

Why am I just getting this notice now? OPM had incompetent security and it took them more six months to notify me of breach. This is typical .GOV B S

Pages

Leave a Comment