OPM data breach – what should you do?

Share this page

Update (December 9, 2015): OPM discovered a second data breach that affects federal employees, contractors, and others. If you received a letter from OPM, please visit opm.gov/cybersecurity to learn more about what happened and to sign up for free identity protection services.

A data breach at the Office of Personnel Management (OPM) – and you’re a current or former federal employee whose personal information may have been exposed. What should you do? Take a deep breath. Here are the steps to take. 

First Steps

  • Check your credit report at annualcreditreport.com. Look for accounts or charges you don’t recognize. Even if the breach didn’t involve credit card information, thieves may use your Social Security number, address and date of birth to open accounts in your name.
  • OPM announced that it plans to offer credit report access, credit monitoring, and identity theft insurance and recovery services to potentially affected individuals. Take advantage of this offer.
  • Place a fraud alert on your credit reports. With a fraud alert, businesses must verify your identity before providing new credit. An initial fraud alert lasts 90 days but you can renew it.    

Next Steps

If your information was exposed, then OPM will send you a letter explaining what information was involved. Your next steps depend on the type of information exposed:

Social Security number

  • Consider placing a credit freeze. Why? Thieves can use your Social Security number to open new accounts. With a credit freeze, no one can open a new account in your name (until you lift the freeze).
  • Next year, try to file your taxes early – before a scammer can. Once your Social Security number is exposed, a thief can use it to get your tax refund.

Bank account, credit card, or debit card information

  • Contact your bank or credit card company to cancel your card or close your bank account. Request a new account number.
  • If you have automatic payments, update them with your new account number.
  • Review your transactions regularly to make sure no one has misused the account.

 Online login or password

  • Log into the account to change your username or password. If you can’t login, then ask to shut down the account.
  • If you use the same password elsewhere, change that too.

For updates about the breach, check OPM’s website. For more information about what to do after a data breach, and a handy checklist of steps, visit Identitytheft.gov/databreach.

Remember to continue checking your credit report at annualcreditreport.com, in case information is misused in the future. You can order a free report from each of the three credit reporting agencies once a year.

If you discover that someone is misusing your information, you’ll need to take additional steps, including filing a complaint with the FTC. IdentityTheft.gov walks you through those steps – because recovering from identity theft is easier with a plan.   

Comments

I received the letter from OPM this afternoon, however at no time have I ever worked for the government. I have worked the same job for over 7 years in the private sector and have not ever applied for a federal position. Why did I receive this letter? I want to make sure that I am doing the right thing for me and my family, however this is very confusing and worrisome. Please advise. Thank you.

Go to opm.gov for the most current information.

The OPM site lists people who might be affected by the background investigation records breaches. It includes:

  • Current or former Federal government employee
  • Member of the Military, or Veteran
  • Current or former Federal contractor
  • Job candidate required to complete a background investigation before your start date
  • Spouse, co-habitant, minor child, close contact of any of the above group

I Just received a notification and I don't fall under any of the listed criteria. Needless to say I'm upset,confused and very concerned.

Both my spouse and child including myself, all three of us, received OPM notifications so there is a greater probability of threat against us. What I’m reading seems like Band-Aid approach that puts my entire family at future risk. Is the OPM embracing measures to protect USA citizens beyond the present method said or is this as good as it gets?

How important is it that I report my passport stolen/lost? Also if I sign up for the "free credit monitoring" after doing so can I place the "freeze" with all credit bureau accounts? Or is it one or the other, freeze or credit monitoring? And lastly is the letter that i received from OPM enough to open a police report of identity theft?

If your passport was stolen or lost, read about what to do at identitytheft.gov. Look under the section called "Other Steps" and click on "Replace Government Issued IDs."

This FTC article has information about credit freezes. A credit freeze lets you restrict access to your credit report. That makes it more difficult for identity thieves to open new accounts in your name.

A credit monitoring service does not freeze your report. A company may track your credit report, and send you an email about recent activity, like an inquiry or new account. If you're considering credit monitoring, ask the company what it monitors and when it will contact you.

If you got a notice that your personal information was exposed in a data breach, that's not the same as identity theft. If you got a breach notice, read about what to do if information is lost or stolen.

If someone is mis-using your personal information to open new accounts, get a job, buy things or do other things with your information, that's identity theft. Read about what to do at identitytheft.gov.

I am an ex postal employee. My letter came to my mom's address that I have never used. I am very reluctant to put in my dob and social# in the myidcare that opm sends me to. Is this just another scam?? Doesn't look like a very secure site!

I received a letter that my SSN was taken in the breach. I go to the site to sign up for free credit monitoring (only good for 3 years - I'm in my twenties, hopefully I live a little longer than that), but in order to sign up you have to agree to their terms of service, under which, they basically say that you agree they are not liable for anything if you enroll... Is it just me, or does this not seem like a good idea? They were the ones that didn't protect my information, why should I have to agree to their terms? This is a pretty big deal. Shouldn't we have rights, other than accept their simple credit monitoring (where you have to agree that they will not be liable for anything) for only three years and now we are even?

I am very frustrated with ID Experts and OPM. Because I have a credit freeze on my accounts, there is no pro-active credit monitoring or ID monitoring. Essentially, the ID Experts coverage is useless unless I lift the credit freeze. There is no explanation of this Catch 22, which means a lot of us are wasting time trying to set up an account that will never work. (Took three tries to get an explanation of why the setup on the web did not work). Given the information accessed and the likely attackers, some real identity protection seems warranted, but you cannot get identity protection unless you lift the credit freeze.

On one hand I think that since my information is already stolen and out in the world, does it make a difference if I just enter it willy-nilly on some sketchy looking site that is provided by the Office that allowed my information to be stolen in the first place? OR, do I pony up $5 a month for my bank to do the monitoring for me (and to provide $1 million in ID theft insurance)?

I think the LEAST the OPM can do is allow us to choose our own credit monitoring service and then reimburse us for that (up to a reasonable amount)and for life (or until our identities are tied to microchips embedded in our foreheads).

Can this stipulation be included in the class action suit?

What's to stop whoever took the information from doing other things besides applying for credit? Is there going to be a way to find out if you voted 25 times at 25 different locations in the next election? ... and after 3 years, then what? What if they sit on this info for 5 years before they do anything?

Go to opm.gov for the most current information.

If you were affected by the background investigation records breach, you can choose whether to sign up for the credit monitoring and identity monitoring OPM will provide.

Identity monitoring services will monitor the internet and database sources including databases that pertain to criminal records, arrest records, bookings, court records, pay day loans, bank accounts, checks, sex offender, change of address, and Social Security number trace.

I filled out the id information for the 2 year protection it took all my personal information then it refused to submit it. when i tried to go back to the page to erase it it disappeared. what do i do now? the site said it was secure, but it didnt submit the information.

The OPM site (opm.gov) says if you have questions about an account you may call 800-750-3004.

This makes several breaches. Anyone remember the Tricare breach in Arizona? How about the SAIC one? The VA one just a few years back. Now OPM too. Looked over my last SF87 or 86. Lots of info. Unneeded info. Why do they need to know about relatives who have passed on? I say get the IT person and jail em. The odd thing is that NPRC can't seem to find my MPF. lol gubmint gotta love it.

I also tried to sign on only to get the invalid pin message. I didn't freeze my credit so that's not the cause. Any suggestions? After seeing all the above responses, I'm not sure I want to call the 800 number.

I received a letter that my fingerprints/data were affected but do not meet any of the criteria on their website.* I can't reach anyone at OPM who can tell me how my information got to OPM in the first place. Any ideas on how to get that information?

*Really - I read all of the criteria. There is no reason OPM should have my name much less my fingerprints. I work for a state agency but confirmed we don't send fingerprints/data to OPM, and none of my co-workers who went through a state background check have received letters.

I do not see the point to all this. Yes, it is a shame that this incident happened. Yes, it is devastating. Yes, maybe placing, at least, an initial fraud alert might help. But, if so many people are complaining about not getting through on the toll-free phone number and being put on hold for three, or so, hours, if the pin number doesn't work on MyID Care.com, what does this all mean? No one, OPM, DoD, or anybody, has the right answers here, including protecting the public. It's time to turn to God.

I received a letter notifying me that my Social Security Number and other personal information was included in the intrusion. I'm trying to take advantage of the comprehensive identity theft and monitoring services. I've lost my notification letter.

My notice took a long time to reach me b/c it was sent to an old address. How can I update my address with OPM so that sensitive information comes to me sooner, rather than later?

Please visit the FAQ section of OPM’s Cybersecurity Resource Center at https://www.opm.gov/cybersecurity/faqs/

If you can’t find an answer to your question, OPM asks that you email suggestions for additional FAQs to cybersecurity@opm.gov.

I have to correct some of these reports and updates for the contractors. I'm a contractor and I was affected so that is incorrect and I have been in OPM system since 1990 as a contractor and presently a contractor for the Government and I was definitely affected as I have received a letter. Again, contractors were affected in this data breach. I hope contractors like myself can be part of a lawsuit.

Can I request a PIN # to file my tax returns to ensure the returns are safe?

Please see the IRS page, Get Your Electronic Filing PIN, for more information.

OPM sent me a letter. I was in the military and did a background check for a DHS job that I applied too. So far nothing from lawyers. Apparently no one wants to take the case unless there is proof that the personal information is being used. I'm still searching for one. Credit/ identity protection is useless. I registered for it, still applied & bought a new car few months ago and never received notification that I applied dor it.

Each member of our family had their info compromised with the hack. While the gvt would give credit reports to those over 18yr it refused to give any protection for our 17yr old claiming a minor wouldn't have credit anyway. WE argued.But gvt would not listen. well. we just learned this child had identity stolen and being used. couldn't even open a bank acct. what a mess. how can i get anyone from the gvt to help me with this? where is that law suit?

Please visit IdentityTheft.gov to report and recover from identity theft.

I got the notice about the security breach. I registered for the my id monitoring which did nothing for me. So far my identity has been stolen twice already. They used 2 of my credit cards already. So where is my protection?

I was actually told multiple times in a MILITARY TOWN, no less.. At a Navy Federal Credit Union, on PineyGreen.. (Which I must say I would LOVE for OIG or better yet, President Obama, to personally audit All of our Accts. Considering in less then 2 years my husband & I, together, have had to replace our debit check cards(not including the mini's too) 15-25 times d/t theft charges, plus about the same in the NFCU Credit Cards d/t Fraud Now the we just did it all over again.... The text Fraud alerts are being sent to my HACKED CELL.. Pineygreen NFCU messed up our accts soooo much that we can't see each other's accts, I can't get cash from a ATM, d/t them in June our Credit Card was charged $2,000.00 from online, which they knew that email address was fraudulent. Oh no they would not do a dispute form, only Fraud.

ISSUE: I told them they sent the wrong cell & I was waiting on instructions, package, & all. **BEWARE: I asked the Heads @ this branch what their/NCUA data breach cybersecurity federal regulations/protocols were? ~*~: "I'm sorry we don't have any & I'm sure NCUA would had sent or informed"... I said, "well once again, money has been thieved from our accts, just like in June 2014 when I got the call from NFCU Fraud, telling me that all 11 accts had been compromised & the NFCU in Havelock Nc called the Fraud Solutions Dept to verify what I had told them. I went 3 yrs backs on all accts but 1 bc it just disappeared?.. We were owed a lot. But NFCU, I guess they liked having that $1.4bil lawsuit from JP Morgan Chase. Must be nice, we have 3 cards w/them we were sent new cards, I called to ask why? Chase wouldn't tell me. Well we missed another breach.. Seriously, NFCU/NCUA/NAFCU... There is no Regulations @ NFCU?? If this is the case, & I have taken in my letter from the US OPM many times... I will remove all our $ lock it up in my trunk. That seems safer.

We have people at our NASA Center that were in the group that had data exfilrated. They want to know what process to find to the best of OPM's ability what specific information about them, their SF85, any background investigation results or notes, etc. were lost. They are not satisfied with the generic "it *could* have contained your SSN" response. Is there a way like through the OPM FIS to request a copy of all the information pertaining to their background check and assume that this same information would have been what was lost minus any polygraph or mental health information?

I feel really bad for all of you. This type of stuff should not be happening and the fact that it keeps happening is pathetic. You all need to band together and see if you can't get a class action lawsuit going or something. Sad state of affairs when these idiots put all of our personal, private information out where it can be pilfered.

Is this over now? Are we in the clear. Or, is our information still floating out in cyberspace. Looking over our credit reports for life. Thanks OPM. Thanks a lot. They fired the department head but the IT manager is the one to blame. Probably still works there. Probably just waiting to screw up again, aren't you. Yeah, you know you're incompetent. Got the job through nepotism. Beat out some qualified person through social connections. Someone who could have secured the data. But no, the government pays you big money. And for what. What are you doing now IP manager. Surfing the web on G-time? Checking your fakebook? Hanging out in the lunchroom or hallway shmoozing it up with the suits. We all know your type. I've met hundreds of your kind.

My account with MyIDCare was locked because I forgot my password. So I called the number given 1-800-750-3004, waited 10 min while someone gave my a whole list of of things they do but never a human voice and no way to unlock my signin. What good is this thing if you can't get into it. I went to the Change password and it said "can't do that because I'm locked out" Really great Government crap again that doesn't work.

Pages

Leave a Comment