Email from OPM – is it the real deal?

Update (December 9, 2015): OPM discovered a second data breach that affects federal employees, contractors, and others. If you received a letter from OPM, please visit opm.gov/cybersecurity to learn more about what happened and to sign up for free identity protection services.

You just got an email saying your information was exposed in the OPM data breach. Wondering whether the email is the real deal or not? Here are a few things to look for:   

  • OPM will be sending most breach notifications by email between June 8 and June 19. The email will come from this address: opmcio@csid.com. If you get an email about the breach from a different address, then it’s a scam. Don’t click on any links or provide any personal information.
  • The real email from opmcio@csid.com will include your name, your PIN, a button to “enroll now” and information about the CSID Protector Plus program. If you prefer, rather than clicking the “enroll now” button, you can go directly to CSID’s website to enter your PIN and enroll.  
  • Here’s what to expect on CSID’s website: First, they’ll ask for your PIN or the last four digits of your Social Security number to make sure you are who you say you are. Next, if you choose to enroll in CSID's services you’ll be asked to provide additional personal information. 
  • OPM will not call you about the breach. If you get a phone call saying it’s OPM, then it’s a scam. Don’t provide any personal information. CSID, not OPM, is making all contacts about this breach. The contacts will be by email or US mail, not by phone. 

If you’re still unsure whether the email you got is real, check OPM’s website for more information and updates. If you think you’ve been tricked by a phishing email or a fake call, then file a complaint with the FTC and forward the email to spam@uce.gov.

Comments

why is the OPM using email for notification instead of physical mail? Physical mail is much more difficult and expensive to spoof. I am surprised that breach notification laws don't mandate physical mail notification to curb all of the post-breach secondary fraud.

Actually they are sending out physical mail. I just received a physical mailing today and found this website post trying to determine if it was legit. Problem is, those incompetent tools didn't include the full name on the letter so now I don't know if it is meant for my father or myself, both of which have held government jobs if the military counts. Regardless either way the letter instructs as an email could, to go to their website rather than providing an obscure link to somewhere else.

Go to opm.gov for the most current information.

OPM posted updated questions and answers on its website on June 18, 2015. OPM said that as of June 18, it didn't believe the breach announced on June 4 involved personnel records of active military personnel. 

OPM said the breach announced on June 4 did affect current and former Department of Defense civilian employees, but didn't affect contractors, unless they previously held Federal civilian positions.

I've never held a federal position, but I have worked for a defense contractor and I received a notification letter from OPM. Guess they changed that

There was also a typo "alsocontact" without a space. That made me suspicious so that's why I am researching...so far seems legit

I saw that too. Red flag for sure.

Got mine by mail last year.

I received my pin and registered as instructed. However, I had to restart my computer and lost all my data. Am I still protected or do I need to start a square one again?

If you have your notification letter and pin you could try enrolling for services.

If you lost your PIN code you can contact the OPM verification center at 866-408-4555 Toll Free.

Thanks for the info. Greatly appreciated.

Stuf out in my mail box all day for anyone to grab is NOT secure.

What does OPM stand for?

The Office of Personnel Management, the federal government’s personnel agency.

One is worried with so many cyber thieves, I've been trying to get a job at home to help my daughters and grandchildren. It's been difficult, pages are hard to trust. Thanks for your information.

How do we know we can trust OPM or this CSID service at this point? especially with them asking for information via email?

What if all of these scams were done to a person with a disability?,but kept as much documentation as possible...like phishing..hacked email...phone..computer..where could person who goes into severe panic attacks and can't..overwhelming for person who can help??

About that I am on disability and have never worked a government job or any job for that matter. Yet I got one of those letters. I called the number they provided and after entering my pin they asked me for my full name, social, address, and age. Things the letter explicitly told me NOT to give them. I'm confused now. How DO we know whether this is legit or a scam trying to trick us INTO giving out our identities?

AS USUAL GREAT INFO. THANKS JOSE SOTO

You have to be kidding that this is the response to the security breach. Email headers can be spoofed (so the opmcio@csid.com is useless), clicking on a link in email is phishing 101, and the domain csid.com can be hijacked. Using the compromised last 4 of the SSN is also foolish. This is not a solution!

Thank you, hunderliggur. Exactly what I was thinking.

For what it's worth, csid is using an SPF record for their domain, so only certain IPs are allowed to send email for their domain. It's not perfect, and not all email servers check for SPF records or drop emails that don't match. But it's a start.

Thank you for your due diligence!

Why is OPM forcing federal employees to provide PII to a contractor (yet another party) for protection? Someone should be fired for this and its time for a class action lawsuit.

I received this letter also but I am not sure if I should go to the CSID website and enter all my personal information. Law suit sounds about right, I have never been a federal employee. Don't understand were my information was pulled from??

Go to opm.gov for the most current information.

OPM maintains personnel records for the federal workforce, and it said that about 4 million current and former federal civilian employees were affected by the breach.

Those current and former federal workers will get notices from OPM. If you aren't a current or former federal worker,  but you got a letter asking for your personal information, the letter might be a scam. Go to the OPM website to learn more about who is affected and how OPM is notifying people.

I live in Spain & CS ID insisted that I have a US address in order to assist me. They wanted me to use a false address and then they could change it later! Why is the Government paying for this incompetence?

Another Outraged Fed

how does OPM even know which e-mail address to use? brilliant send a PIN to the ID thief who applied for and received tax refunds.

Because they either have your current work email or one you provided one when you retired.

Victim, you have it right on. If you have already been a victim of identity theft, someone has likely made up an email address with your name on it. So if your warning comes into an email it could well go to the hacker/thief and not you....hahahaha what a joke.
Mine was a letter, I likely had a background check for something, I am not a Govt employee or retired person. I wonder if this has to do with finding out poeple with conceled carry permit???

Possibly a relative who worked for the government had to list you.

I understand that CSID Protector Plus program will cover up to $1 million theft protection services. What if your personnel portfolio is grater than $1 million? Will CSID cover that loss as well?

The OPM website says you can get more information about CSID on the company’s website, (external link) and by calling toll-free 844-777-2743. International callers should call collect: 512-327-0705.

I have been locked out of my account and this toll free number doesn't work.

The Toll free # I got in my letter in the mail today is 1 800 750 3004??

Same number in my letter.

Please note that there were two data breaches. This blog was written about the first breach (personnel records). If you got a letter in December, it was probably about the second breach (background investigation records).

The OPM site (opm.gov) says that if you were affected by the second breach (background investigation records) you can go to the Cybersecurity Resource Center and select the “Sign up for services” button or call 800-750-3004.

Bridget, we all got that Cybersecurity Resource Center number. It doesn't help. It is not an OPM number. It just connects you to MyIDCare, and the person you talk to also wants your full social security number.

I was breached and I called the number of CSID instead of using email. I trust no one at this point.

Why would you trust them by phone??

i received a letter from OPM yesterday... no email.

opm say never give your personnal info on email or telephone, but this site the first thing is your birthday and ss numbers they need. I changed password on my important sites and write them down in my notebook next to my PC { and will not sent to lifepass} another site hacked this week

Is CSID any more secure than OPM? CSID is asking for and retaining even more information than OPM has.

I was asked to supply all types of personal info - drivers license #, med card id, I hope the hell I was scammed. the email address looked okay but wow that was a lot of info to share - now I am paranoid beyond belief!

Go to opm.gov for the most current information.

The OPM website says that if you enroll in CSID’s credit and identity monitoring you need to provide:

  • First Name
  • Last Name
  • Full Address
  • Date of Birth (used to activate Court & Criminal Record monitoring)
  • Social Security number (used to initiate credit monitoring)

You will also need to create a username and password to access your CSID account. Once you create an account, you have to  answer a set of authentication questions to validate your identity. The questions are related to information on your credit report. The question might be “With which financial institution do you have an auto loan?”

When I enrolled in the OPM CSID program,they asked for my social security number,is this part of their procedure?

Go to opm.gov for the most current information.

The OPM website says you can get more information about CSID  on the company’s website, (external link) and by calling toll-free 844-777-2743. International callers should call collect: 512-327-0705.

In general, if you want to get identity protection, you have to provide information to prove you are who you say you are. You might have to give your social security number and other information so they can locate the accounts you want them to monitor.

If they were able to send me the information and provide a PIN number why didn't all of my personal information automatically generate. I do not feel right inputting all of my personal information.

Exactly KB, this whole thing stinks. I'm out.

I agree. I received a letter today. I never applied for a federal job. Only a state job. Plus, I don't understand why I would have to enter my ssn on the site. it should already be linked to the pin.

The breech includes anyone who has had an extensive background done check as well. Not just government employees. This includes fingerprints!

Ms. Small, you seem to have a lot of information. I want to believe you, but how do I know you are legit? Does the FTC after your name stand for Federal Trade Commission?

Yes, Bridget Small works for the Federal Trade Commission (FTC). Here's one of her recent blog posts: Hundreds of millions say “Do Not Call”

 

 

where do I get my pin number

Unfortunately you can't trust anyone, anywhere, anytime. There is corruption inside legit companies, or these legit companies, including the .gov's themselves can get hacked, i.e., OPM. So who do you trust? I feel sorry for my grandchildren, having to grow up and deal with this ever grown problem.

Although this was a major OPM data breach, can anything be done to prevent this happening in the future (encrypt the data)?

Many of these comments re the STUPIDITY of this CSID thingamabob are on target. Hey, if we can figure out the very serious problems associated with this approach (assuming that the email we get is legit in the first place), why couldn't the brilliant SES folks at OPM figure it out also? DOH. Argghhhh. Grrrr!!!!!

OPM identifying a contractors website and email header address on their home page for public viewing, A contractor (?) sending an email vice OPM mailing official letters to those affected by this SNAFU - really this is the best OPM got- then insult and alienate customers with OPMs lack of accountability and publishing official response as "not my fault". Give me a break why would I trust OPM email?

Why in the worls are they sending this notification from a .com address. It's raising more suspicions and confusion.

This is concerning. Its like a no win situation.

Exactly what I was thinking too!

I have questions regarding the OPM notification I received today? Is this a legit email? Why when I go to the CSID site it is asking for pertinent PII information that was comprised? I.e. DOB, mailing address and SSAN What is the relationship of CSID with the government?
QUOTE FROM EMAIL: These services are offered as a convenience to you. However, nothing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter or for any other purpose. Any alleged issues of liability concerning OPM or the United States for the matters covered by this letter or for any other purpose are determined solely in conformance with appropriate Federal law. Please note that these services are offered to the specific addressee of this letter and are not available to anyone other than the individual who received this notification
QUOTE FROM EMAIL: OPM takes very seriously its responsibility to protect your information. While we are not aware of any misuse of your information, in order to mitigate the risk of potential fraud and identity theft, we are offering you credit monitoring service and identity theft insurance through CSID, a company that specializes in identity theft protection and fraud resolution. All potentially affected individuals will receive a complimentary subscription to CSID Protector Plus for 18 months. Every affected individual, regardless of whether or not they explicitly take action to enroll, will have $1 million of identity theft insurance and access to full-service identity restoration provided by CSID until 12/7/16.

Go to opm.gov for the most current information.

On June 18, 2015, the OPM website says it is offering credit monitoring services and identity theft insurance with CSID to people affected by the breach. OPM says you can get more information on the company’s website, (external link) and by calling toll-free 844-777-2743.International callers can call collect 512-327-0705.

In general, if you want to get identity protection, you have to give a company information to prove you are who you say you are. You might have to give your social security number and other information so they can locate the accounts you want them to monitor.

I received a letter from OPM today as well. No email yet.

Why is my letter from csid and why should I trust them? Is this for real?

Go to opm.gov for the most current information.

On June 19, 2015, the OPM website said it is credit monitoring services and identity theft insurance to people who are affected. The services are with CSID, a company that specializes in identity theft protection and fraud resolution. You can get more information from the company’s website, (external link) and by calling toll-free 844-777-2743. International callers should call this number collect: 512-327-0705.

OPM suggests that you contact your agency's privacy officer to validate the communication you get.

Bruce, My letter is from "OPM Notifications". I wonder why the difference?

I live overseas. Got my email. Tried to login, but doesn't allow retirees living overseas the ability to enter their current overseas address. Do I forget about enrolling?

Go to opm.gov for the most current information.

On June 19, 2015, the OPM website says you can get more information about CSID from the company website, (external link) or by calling toll-free 844-777-2743. International callers can call this number collect: 512-327-0705.

It sounds like "Bridget Small - FTC" is part of the Phishing scam. Every question she is asked is replied to by “Go to opm.gov for the most current information.”. I also agree on the Turing Test.

According to the replies, it is impossible to contact OPM by phone (three hour wait). Also, I would NEVER give out my SSN, DOB, etc to ANYONE, especially a suspicious website. I entered my pin and the last four of my SSN, but the next page was prime material for identity theft. Giving then the last four of my SSN is not a problem and should be sufficient to identify me in order to sign up for their services, which according to my mailing are not required anyway, since they are already implemented.

I entered my pin and the last four of my SSN, but the next page was prime material for identity theft. To those who do signup for the “plan”, keep a careful watch on your bank accounts. I am also going to request a credit freeze from the credit agencies. That way no one can apply for a loan in my name. Banks have protection against unauthorized withdrawals. A final note. I went back and entered my PIN and SSN second time and wonder of wonders, it worked. So much for their "one time usage" statement.

Dear "Sounds like phishing"

I assure you, I am a real person, not a scammer. I work for the Federal Trade Commission. I suggest people go to the OPM site because OPM is the agency responding to the breach.

OPM provides two services automatically to people who were affected by the breach. But, if you want the additional services that OPM makes available, you need to enroll. You do not automatically get credit monitoring and ID monitoring.

You may choose to put a credit freeze on your file. But a credit freeze may not stop misuse of your existing accounts or some other types of identity theft. This FTC article tells more about credit freezes.

So i already submitted my information and now i dont know if it was the real site or not. Happy i didnt have my banking information put in there and now im the process of coming up with new email address. It terrible that we are in such a SHARING time in our lives that EVERYTHING has to be connected "to make it easier". Its no wonder ID theft is out of control. You dont know who is who, who is honest or who knows whats really going on

I'm just glad their pages are secure -- or are they? What happened to the padlock on the PII page? Unsecure data on a secure page? Typing the information into the fields is unsecure until submitted, so why is this not hidden? I tried to call the helpdesk -- was on hold for an hour before I hung up, but I am sure they would have "assured" me it is secure. This company is making hundreds of millions from the US govt -- Podunk company to super-rich player. The DoD has terminated the program until CSID fixes it -- guess it took someone with more smarts to make them at least APPEAR to be secure, than just telling people they are.

I was unsuccessful attempting to enroll on line due to an error-- have been on hold with CSID( 844-777-2743) for > 2 hours. Has anyone had success in enrolling on line or getting through to customer service? Next step? Calling my representative to inform them of the "non -fix" by OPM?

I was able to but she told me to use lower case and not to ad any punctuation.

I find it interesting that to combat the data breach, we are being advised to access yet another website and to release yet more personal information to a new website. Ironic, eh?

Bingo Bob...

All of you make such good points. Fact is I have been paying for Life Lock for years. To keep my secret clearance the govt runs my credit several times a year. I have always liked to keep my own eye on my own personal info. Beware when a agency that is making back room deals to offer free services, and then added products. This is not a government agency. It is a private company. There are many companies that do what they do. My health records were breached at Kaiser some years ago. Same thing. They sent out similar letters offering monitoring service. Fact is we are all at risk all the time. Just use PayPal, or EBay, I promise you fraud will be on its way in no time. Good luck all!

I called 844 777 2743. I was advised to access the website due to a 90 minute call wait queue.

Thank you all for commenting. You share my concern. I expected a letter and got an email. The sending email ends in .com, not .gov. I totally understand, Bridget Small, what the email says. Mine, and I believe the others' concern is with the process. One would have to be incredibly ignorant nowadays to blindly follow email instructions.

Everything sent out and claiming to come from opmcio@csid.com is exactly what a determined phisher would do. OPM itself claimed all that was stolen initially was names, SSNs email, etc. Great! Now, given that, how would I go about getting the users to tell me more? Sure! Pretend to be OPM, send email from a non-government web site, claim it's all okay.. A few percent of users fall for this trick, and now I have hundreds of thousands of bank accounts, investment accounts, etc. Who cares if 95% realize this is phishy? 5% of 14 million bank accounts is a whole lotta money.

Exactly the opposite practice of what we're told to do in annual IA/cyber awareness training. Stuff like this is supposed to be PKI signed and come from a .gov or .mil address. They don't practice what they preach.

I called and tried to explain that to them and they were completely ignorant about out training.

I am a retired employee and got only e-mail. No snail mail. Should I expect regular mail too? As it is very easy to falsify names I checked IPs. They asking me to provide name, SSN, address etc. at 72.3.201.109.Is this correct IP? Geolocation data from IP2Location(Product: DB4 updated on /1/2015) IP Address Country Region City ISP 72.3.201.109 United States Texas Dallas Rackspace Hosting Google Map for Dallas, Texas, United States (New window)I also looked at e-mail domains. Are they correct too? I clicked on the reply button and the address OPM CIO opmcio@csid.com> with IP 213.165.76.224 changed to
r-xdjdrcjrcjtpsstclvmsgdvghnhpbnysmpcdgblycchlgky @mail.csid.com with IP 96.46.132.64 Geolocation data from IP2Location (Product: DB4 updated on 6/1/2015)
IP Address Country Region City ISP 213.165.76.224 Germany Nordrhein-westfalen Dortmund 1&1 Internet Ag Google Map for Dortmund, Nordrhein-Westfalen, Germany (New window) Geolocation data from IP2Location (Product: DB4 updated on 6/1/2015) IP Address Country Region City ISP 96.46.132.64 United States Arizona Phoenix Azcentral Google Map for Phoenix, Arizona, United States (New window)

Just go to OPM's website, opm.gov/news/latest-news/announcements/ there is a redirection to CSID in the upper right portion of the screen. I agree another third party, but then OPM is not in the business of credit monitoring, hence the need to contract with them. That link should give those unable to tell a phishing scam some peace of mind.

SHAME ON OPM AND SCID! I SEARCHED THE OPM WEBSITE AS WELL AS THE SCID WEBSITE FOR ANSWERS TO SIMPLE QUESTIONS AFTER RECEIVING NOTIFICATION -- NOTHING! THEN I CALLED AND LEFT MY PHONE NUMBER AND WELL AS ON HOLD FROM ANOTHER PHONE. I AM NOW INTO MY THIRD HOUR OF BEING ON HOLD. RECORDING SAID 90 MINUTE HOLD TIME. AS A DEDICATED GOV'T EMPLOYEE WHO GAVE HOURS OF PERSONAL TIME FOR THE MISSION I DESERVE TO BE TREATED BETTER THAN THIS. ALTHOUGH NOT A UNION MEMBER, I HOPE GOV'T UNIONS RAISE A STINK OVER THIS AND MAKE HIGHER UPS ACCOUNTABLE FOR THEIR LACK OF SECURITY MEASURES. THANK YOU.

I got a letter yesterday, too. But I worked for the government over a decade ago and I suspect they don't have my current e-mail address.

I have spent my whole life protecting my identity and now this because I am a federal employee. I am totally disgusted and have been violated by my employer. Hopefully, what goes around comes around and God help us all that have to deal with the incompetence of others the rest of our lives.

Why in the world is the OPM CIO sending email from a commercial address, rather than a government address. It clearly looks like a fraudulent phishing attempt. Poorly done OPM!

Go to opm.gov for the most current information.

OPM is offering affected individuals an 18-month membership with CSID, a business, that will provide credit monitoring services and identity theft insurance. The OPM website has a link to CSID.

I got a letter on July 1 2016. It looked official, but that is not enough. My letter did not refer me to CSID. It referred me to MyIDcare. I don't trust it and will not provide the extensive personal info they request.

I got a letter today at MY PARENTS HOUSE, in my married name, but I haven't lived there since BEFORE I was married. The company I was referred to was not CSID or MyIDcare, but mine was for ID Expert. Yeah, I'm DEFINITLY getting a bad feeling about this.

it's ok

Maybe we ought to use Hillary's Private email server !

BS the emailer can't even use correct syntax and agreement in the text. Nice try.

The letter I got sent me to a web site that asked for my whole social, not just part of it. Not crazy about this on a ".com" site. OPM should have provided a '.gov' site instead.
Then, to make matters even more suspect, the page the letter sends you to is mixed encrypted information and non-encrypted information so it's security certificate may not be being used for the transfer of my social!! Another government screw-up in the works, OPM the sequel? "We lose your PII to times!"

Does the following mean that eventually we will have to pay for this service: All potentially affected individuals will receive a complimentary subscription to CSID Protector Plus for 18 months.

I tried to register. Put in the PIN and personal information and the computer froze up for a long time. Tried again and again the computer froze up with my personal information on the internet.

I left my govt agency three years ago and they do not have my current mailing or emaul address. I also live outside US now. How can I get this notice with csid pin?

Go to opm.gov for the most current information.

If a person was affected by the breach announced on June 4, 2015, and that person has left the government, OPM will send them a notification by postal mail to the last address the agency has on file. OPM will verify the address with the National Change of Address (NCOA) service before mailing a letter.

You may want to contact the privacy officer at your former agency for more information.

Found the email in my Junk Email. NMCI thinks it is spam. Why would any gov CIO send an email through a 3rd party. I was going to ignore this as a phishing attempt since I know the OPM CIO works for the gov not CSID. No wonder they are in trouble. CIO@opm.gov would be fine with me. Maybe their email server is bugged and running Windows 95. This CIO should be fired!

By the way, I cannot get to the site to put in my pin from my gov computers. I have all TLS and SSL opens selected and still I get page cannont be displayed. Phone line is 1hr wait.

Who is Bridget Small, and why does every one of this person's responses begin "Go to opm.gov for the most current information.On June 19, 2015, the OPM website said ..."?????
Most government employees and retirees can read, have already been to the OPM website, and are reacting to the (typical) inadequate and poor information presented there. Instead of parroting this introduction each time, how about realistically and practically addressing concerns that are presented in these customer comments instead of assuming the customer's can't read or haven't already done so?
I will personally NOT provide ANY of the PII requested by this alleged company until I get trustworthy information directly from OPM that openly addresses the exact problem, presents the detailed steps that have been taken to prevent it from happening again, and gives well-thought-out action guidance to employees and retirees, i.e., NOT like the government's last Health Care Database debacle, and NOT like this current epic failure!

Good morning.  I am Bridget Small, a staff person in the FTC's Bureau of Consumer Protection, Division of Consumer and Business Education. 

People read and comment on our blogs days, months, sometimes years after they're posted. The blog you're commenting on was posted 12 days ago. New information can emerge after we post a blog. In fairness to all our readers, including those who aren't directly affected by the OPM breach, and/or aren't following it closely, it's important to be clear about what was known when, and where to go for more information.

Who authorized OPM to give my personal information to CSID.COM? CSID asked personal validation questions on their site that ONLY myself and OPM could know, and I did not waive my right to privacy when I initially supplied the information to OPM for my security clearance.

Great point! I stopped at that very screen because it just seems so ridiculous.

I have tried to call CSID for two days. I called at 9:00 am and the waiting time i90 minutes. I am today on the phone and the waiting time is now44 mins from 90minutes this morning.
I don't want to give my SS on the computer.I called OPM because my password has expired so now I have to wait 7 days to get a temporary password from OPM.I am terrified. It

When will they fix the web site so that I can logon? Last few days have tired to logon and see a we are having tech difficulties message with a 1 -844 phone number. This is almost like back when Obama care web site went up. There were issues.

I can't believe OPM would send an email. I received letters by mail in the past. They do not have my email. So the information I received was from the FTC and not OPM. I did not get a letter, so for this to be true, I question the information to the highest as many more are stating in their comments. I have not as today June 25,2015 received any letter or email concerning a breach in our personal information. Although the FTC is part of our government. They could have gotten information before us and those of us who are receiving emails from the FTC was notified in that manner. I appreciate the FTC keeping up with what is going on in our government. It keep us up to date on inner cities activities, this is my word for inner circle of our government.

Go to opm.gov for the most current information.

If you are a current or former federal employee and your information was affected by the breach, OPM will notify you by email or mail. Email will come from opmcio@csid.com.

The FTC is not sending notices to affected people. If you get an email that is not from opmcio@csid.com, and it says it's about the breach, don’t reply, click on any links, or open any attachments.  Read more about Phishing in this article.

Just got a letter 2 days ago from OPM. From chief information officer regarding data breach. I retired 8 yrs ago, Still debating if I have to sign up with CSID free protection plan for 18 months, after reading all the comments I have doubts and don't really know if can trust CSID giving them all my personal info! I

On CSID website: "Every affected individual, regardless of whether or not they explicitly take action to enroll, will have $1 million of identity theft insurance and access to full-service identity restoration provided by CSID." Sure sounds like we don't have to enroll to receive the same protection. So why give CSID our personal information.

Go to opm.gov for the most current information.

The OPM website says that if you want credit monitoring and identity monitoring services you have to enroll for the services using the code that came in your notice.

After entering personal information on the CSID site and getting no response I am afraid to further enter personal information that may not be secure, and don't know where it is going.
Why didn't the OPM test the system before implementing it?
It seems to be causing more harm than the breach.
Being retired Navy, I do not get the protection that current employees get by the IT monitoring they provide.
Shouldn't the OPM announce that the notifications has been cancelled. Or if get through may take many hours and possibly many crashes trying to get through?

I signed up for the CSID protection yesterday afternoon. I noticed that the SSN trace report showed some ridiculous address in my record (Bluefield College, Bluefield, VA). I called CSID this morning. Their response was that they could do nothing, explain nothing, and if I wanted to pursue this to contact my “local public records facility”.

Five minutes ago, I received a solicitous call about lowering my credit card interest rates; the first ever on my mobile phone.

It took CSID less than 24 hours to sell my identity. Completely worthless.

From CSID website: "Every affected individual, regardless of whether or not they explicitly take action to enroll, will have $1 million of identity theft insurance and access to full-service identity restoration provided by CSID." Notice the statement "whether of they explicitly take action to enroll".

It seems that we don't have to enroll to receive the same protection.

Wow! Got my snail mail letter today. I checked the website on Thursday and was assured that all snailmail would be delivered by June 19. Today is the 27th (8 days after the last possible delivery date). So I go to CSID (through the opm.gov website. Of course after entering my PIN to prove it is me, I am asked for my full SSN, DOB, address, holy cr@% that is a lot of information for someone who just linked me to the PIN I provided for proof. I don't know what to do. I don't want to give all of my PII. Surely there must be a more secure way to enrich the stockholders of CSID. Any ideas on how to sign-up for the protection without giving up all of my protection?

Go to opm.gov for the most current information.

The information on the OPM website explains what you saw on the CSID website. According to OPM, if you want credit monitoring and identity monitoring services you have to enroll directly by entering the activation code you got in the notice, establishing an account and correctly answering a set of authentication questions.

In general, if you want to get identity protection, you have to provide information to prove you are who you say you are. A company might ask for your social security number and other information to establish your identity so they can connect you and the accounts you want them to monitor.

why would they ask for your info, when dod OPM already has my records? I do not trust this.

If you got a legitimate email from “OPM CIO” at opmcio@csid.com, it has a link that takes you to www.csid.com/opm (external link).

OPM said that anyone who is affected by the breach is automatically enrolled in full service identity restoration (to help you to repair your identity if needed) and up to $1 million in identity theft insurance (to reimburse your expenses if your identity is stolen).

You have a choice about whether to enroll in CSID’s credit monitoring and identity monitoring services.  If you enroll, CSID will ensure that your credit and credit card accounts are monitored for suspicious or fraudulent activity.

If you want to enroll, you have to give personal information to prove you are who you say you are.

Go to opm.gov for the most current information.

I retired 5 1/2 years ago and received the email Friday 6/19 after 35 years with DOD I Googled about the email and I am not sure if I want to complete the form from the link in the email after reading comments here. It is too much private information they are asking in light of the massive security breach. I worked in IT and remember all of the training we received regarding phishing and other ways to get our identity.

CRAZY...got the CSID letter but the addressee was NOT ME. The address is mine. Called CSID (very friendly). Gave my name & last 4 SS; was told I had been breeched and need to go to the web site to enroll. She gave me my pin over the phone. She was NOT concerned about the addressee and their pin# on the letter...said the person would call if needed. I want to do the RIGHT thing but don't know whether to enroll or NOT...retired from Fed 7 years ago. What should we do and WHO can we TRUST????

Go to opm.gov for the most current information.

OPM said that anyone who is affected by the breach announced on June 4, 2015 is automatically enrolled in full service identity restoration (to help you to repair your identity if needed) and up to $1 million in identity theft insurance (to reimburse your expenses if your identity is stolen).

If you're in that group, you have a choice about whether to enroll in CSID’s credit monitoring and identity monitoring services.  If you enroll, CSID will ensure that your credit and credit card accounts are monitored for suspicious or fraudulent activity.

If you want to enroll, you have to give personal information to prove you are who you say you are.

Received my CSID letter and if that doesn't have the air of spear phishing, I don't know what does. Login to this "special" website and enter your PII. ToS reads ... give us your PII, but you can't hold us or third parties accountable if something goes wrong. And the domain csid.com registered by GoDaddy and registrant info is "domains by proxy." I have no confidence.

They probably have all our nuclear coned and we don't even know yet. SMH

Does my personal information expire after 18 months? Why only 18 months of monitoring?

good question? Maybe the future will show there is some monetary kick back from the Company

There are several lawsuits in progress to change the limits. Will have to wait and see.

I worked for the Fed for over 38 years. I did quite a bit of work in IT. Security was always a high priority, so nine years after I retire, these --- drop the ball on us. I am disappointed. The government is suppose to protect us from all enemies both foreign and domestic. I guess they forgot that part of the oath.

Why hasn't there been something published in regular media about this? Between the sharing of personal information by OPM with CSID and the bogus looking e-mail from a non-government site, there needs to be a public, widespread explanation by OPM.

I thought the e-mail was crap, so did not click on anything. Bridget Small: please share this with OPM. Or should we just pass this on to the congressional committee and press ourselves? thanks

Go to opm.gov for the most current information.

If you got an email or paper mail notification from OPM, but didn't respond to it, you can contact CSID to see if you're eligible to enroll. Current and former Federal employees can call CSID at 844-777-2743.  (International callers: call collect at 512-327-0705).

  • 7 a.m. - 10 p.m. CST (Monday through Friday)
  • 8 a.m. - 8 p.m. CST (Saturday)

OPM is making this too cumbersome for current employees. All OPM has to do is provide a check box for opt in/out for monitoring in our personnel account. Verify info and send it on over to csid. Getting error code when try to sign up via indicated website.

Attempted to use their website today...said my username was previously used. Changed username...said my pin was previously used - all this after having input my PII. Not cool and they shouldn't lie about their capabilities or the fact that they haven't been out in front of this and are still not prepared to handle the numbers being thrown at them.

The thing about not being contacted by phone are WRONG. I received a call yesterday from the Census emergency response line, asking if I had received the e-mails they sent. It was a recording & only asked for a yes or no answer. It was real because that phone # is stored in my phone & was identified as the emergency response # used to check up on us in case of a disaster, like a hurricane, so you need to update that.

OPM is not contacting people about the breach. If you get a phone call saying it’s OPM, then it’s a scam. Don’t provide any personal information.

It sounds like you got a call from an agency that had your number because you gave it to them.

My email and address has changed; am on non pay status with irs. How do I find out if I'm effected? Don't really want to hold on the phone for 2 hours

Go to opm.gov for the most current information. There are questions and answers there about many topics.

If you were affected by the incident that OPM announced on June 4, OPM would have sent you an email or paper mail notice. OPM was sending notifices by via postal mail to the last address the agency has on file. OPM said it checked addresses with the National Change of Address (NCOA) service before it mailed letters.

Why is it that I cannot go to my OPM retirement site to determine if my info has been included in the hack ? All I read is that the OPM is sending letters and emails to " those affected".. Am I to assume as I got no letter/email my info is still secure? I am suppose to assume that no email no letter means no breach ? BS to that, OPM should be able to confirm YES your info has been taken or No your info has NOT been taken to every employee .. simply amazing

I don't know how anyone is supposed to know what is what. I just received an opm.gov email from a Janet Barnes with the following message "You have been chosen to receive a private donation. more info contact (michaelduncan@yeah.net)=" That sure doesn't sound like anything that should be coming from a government email account! Obvioualy, I did not contact the email address, but feel that opm.gov should investigate who is using there email account.

Entered once, not sure it went through. Just got my e-mail 2 days ago, what took so long? I believe that we should receive identity theft protection for LIFE and with one of at least the top 10 companies. Otherwise the identity thief can just wait 18 months and then use our information unless WE pay for identity theft protection ourselves for the rest of our lives. This happened through no fault of our own, not fair!! Whatever happened to taking responsibility for your mistakes and paying the price? I also agree with a previous post from someone who contacted CSID, who authorized the OPM to give them our personal information????

My notification came from a third party - CSID - on mixed CSID/OPM letterhead. Signed by the OPM CIO. With regular commercial (machine) postage. I was skeptical. However not so much after a brief search.

The OPM site on this subject says "For questions about the personnel records incident only, please call CSID at 844-777-2743" Which is the see Official OPM statement "Information about OPM Cybersecurity Incidents"

CSID can be hacked as easy as the government. They protect us by gather our data. Explain the deep security arrangements that CSID has made to protect who they protect?

I have received telephone calls on my home and cell phones, I have NOT received a letter in the mail. However, when I called the 18447772743 number they said I was included in the Breach and to use the provided number to sign up on the CSID website---then asked for DOB & SS info. At this point I called the Philadelphia Census Office and Administration couldn't answer questions. I also received an email - without a PIN number included.
They stated that the PIN can only be used once, more or less "forcing" you to enter additional PII to get the coverage being offered. I chose not to enter and called the telephone number again and they stated a new PIN would be issued if I needed to continue the process. I son works for the DOD as a civilian and he has not received any notification about his PII being part of the breach, although he falls within the data breach content of having a background check after 2000. Will anything be done? As a Census employee who must insure my clients that all information is encrypted and safe, they give me SS#'s etc, now how is this going to hinder the responses of those when I go and try to gain their "TRUST" This will result in lower response rates, etc for the Census Bureau employees!
The email I received was from:
conf-784768321@everbridge.net now that really makes you think it is from the government, without a PIN and haven't received a letter!
Government should pay for protection for life of employee and spouse or partner!

I got a letter. Why is the website www.csid.com/opm asking for my social security #. Shouldn't the social Security # be linked to the pin? I'm not comfortable with this.

This thread is fascinating. Bridget Small could be some computer's attempt to win a Turing test (or a person's attempt to lose one).

Im very upset..the very person that sold my info in 24 hours is now asking me after 2 years of protection to pay for the service they stole in the first place!! Where is Obama in this matter? War Vets do not deserve this.. May God do something about this amen.

So I tried to enroll, it didn't work, and the system locked me out. Then I call the number, and they ask me for my SSN! Just to confirm that my pin wasn't available anymore. Then they tell me I won't be able to use this service until they get more pins, at some point in the future. Which could be weeks??? This is not right. If you're offering a service to ppl because you screwed up, don't make a mess of the fix as well. I was thinking about going back to work for the feds, now having second thoughts, maybe I should just write a nasty letter to Obama instead...

What do you expect from the Obama crowd? Too busy giving nukes to Iran.

Has anyone considered that this CSID was behind the original hack? Either to generate a very lucrative contract or in a more cynical and ingenious plan to get the final touches on all the partial information they stole the first time? OPM will not tell us what or even if they vetted this company. They already have all our info from OPM (weather we agree or not, we simply were not asked) so why on earth would they need all the additional info again if not to validate what they already stole?

Thank you, finally someone who actually makes sense of all of this.

I am worried about giving my PII to a contractor who will have all of my information in another database that could be hacked. Then I realized that CSID has our information already because they are verifying our data for monitoring. I wonder if the services are worth it since they will notify us if they notice our information being used such as our SSN with a different name. It is not clear to me that they take any steps to stop it. Is it correct that they only observe and notify? Does the SS Administration know who has been breached or is that a separate action that we must take individually?

GOD! IS THE USA REALLY A FRAUD? I want you to hear my story. I am a retired DOD civilian with 27 years as a mechanic on the F-15 fighter jet, America's number one pistol in a USA home invasion. For 27 years I was highly aware that even a small mistake was unexceptable, considering the magnitude of importance in the roll this plane plays in our defense. Now, CSID is supposed to be protecting and monitoring my personal information from identity theft. At the end of June 2015 and early July timeframe my credit card was breached and run to the max on a Sunday, when CSID doesn't see the importance of my protection to staff 24/7, knowing that financial institutions have a 5 day week. So the perpetrator had all day to have fun with my card because no one was watching. The following Monday I contacted by phone CSID with the information my card was breached. The pothead had no clue, the more I talked the less he learned, bringing to mind what in the world they were doing while this was going on. Considering I had finally managed to block the card with my bank's automated system. The pothead was totally unaware of the situation and told me that they were there to monitor and protect my identity. He did not have a clue that I was a victim and showed no concern. After several minutes of useless conversation I hung up frustrated and confused. I went to the grocery store just before 5pm after checking my local bank acct to ensure I had money in my debit acct. At check out at approx 5:40 my debit card was denied 4 times. The cashier explained it was showing insufficient funds, YES BY GOD, they had hit me again this time in my debit acct. I'm sure the pothead at CSID once again had no clue and I once again had to protect my own identity by pursuing a block through my bank after hours. Shortly after that I called CSID but nobody was home. Now as if that isn't bad enough on Sept 2nd I received an update email from CSID on my identity status. I was absolutely shocked when in big green letters "everything is fine with your accts". They didn't have a clue that the 2 cards, 1 credit 1 debit, were breached and blocked. They told me that I was in good hands and perfectly protected. Now I ask you what good is this company? I truly believe it is non-existent and nothing more than another Gov fraud, with a few low paid phone operators working out of an unneeded office or in a warehouse within the beltway. I don't even believe this thing exists. Do you? I'm sure that in another couple of months that I will receive another 'everything's great' email with big green letters from the great protector CSID.

According to information on the OPM site, if you were affected by the personnel data breach OPM is providing you with

  • identity theft monitoring service,
  • identity restoration service (to help repair any damage from identity theft), and
  • identity theft insurance (to reimburse for some expenses incurred becuase of identity theft).

You may want to use those services if you need help or have costs from recovering from the theft.

Also: identity theft victims can get free information and detailed tips for repairing identity theft at identitytheft.gov. Identitytheft.gov shows how to create your identity theft Affidavit and other documents you'll use to repair problems.

The site also explains fraud alerts and credit freezes, which you can place yourself. An alert or freeze makes it harder to get credit in your name.

It is clear in the story that this person is using the services that you bullet pointed. The problem is that their account is not being serviced. OPM is just telling them things are okay when clearly things are not okay. In this story the services do not work. Clearly.

Hi Bridget! The letter I received had me enroll at opm.gov /cybersecurity. Everything appears legitimate, except I notice everyone on this post mentioning CSID. I don't see that reference anywhere. The company referred to me is ID Experts. I was about to complete enrolling, but this made me stop.

In 2015, OPM contacted two groups of people who were affected by data breaches.

In early 2015, OPM notified people who were affected by a breach of personnel data. OPM offered those people services through CSID.

In the fall, OPM notified people who were affected by a breach of background investigation records. OPM offers those people services through ID Experts.

Meanwhile, OPM is sending out emails with partial SSNs when you go through the job application process. I can't believe they are doing this.

I just received a letter on Saturday, Oct.10, from OPM Should I trust it? This is the first time that I have been contacted. Looks like others received their letters a couple of months ago.

Go to opm.gov for the most current information.

On October 1, 2015, OPM said it would start mailing letters to people whose names and fingerprints were stolen in a breach of the OPM system.

The letter will have a personal identification number (PIN) number that you need to sign up for certain identity protection services.

No one from OPM will contact you to ask for personal information. You can choose whether to sign up for identity protection services.

I am taking my letter to the FBI. Bridget Small sounds like a troll to me. I don't trust this at all.

Good morning. I work in the FTC's Bureau of Consumer Protection. I'm one of the FTC staff who read and respond to blog comments with information and suggestions about additional resources.

It appears Ms Small, that you are overworked as you seem to be the only person in OPM -strike that -at FTC answering these comments. I applaud your patience.

I note that I need to receive info from OPM who passes me to ID Experts who passes me to their contractor CSID (Costco's current plan to purchase BTW}, but OPM or somebody also suggests I complete enrollment with myIDcare. When I search myIDcare it defaults to Medicare in almost all cases except for one search reply that states in part "myidcare com /secuirty andprotcion" .(There is a dot before the com that I removed to insure I did not send you a phishing web site). Those are their typos-not mine! So don't be surprised by all these comments with red flags flying all over. So is it ID Experts, CSID, myIDcare, or more out there? Can OPM see the debacle they have created?

I received a letter the same as you. I went to opm.gov / cybersecurity, click on their link and it took me to MyIDCare as well. When the MyIDCare enrollment page pops up, there's no information about the company or how to contact them. I did a little more searching and found an address in Portland Oregon for MyIDCare. What is interesting to me is, you're the only post I've seen thus far that mentions MyIDCare. Everyone else talks about CSID. Not sure what to think.

Go to opm.gov for the most current information.

There were two cybersecurity incidents at OPM. The first breach exposed people's personnel data. OPM sent letters in June 2015 to people affected by the first breach. OPM worked with CSID to notify people about the first breach and to help people get services.

The second breach involved people's background investigation records. In Septemer 2015, OPM started sending letters to people affected by the background investigation records breach. If your information was affected by the second breach, you can sign up for services from My ID Care.

 

I just got one of these letters in the mail under my son's name. He is only 15 years old, 14 when the breach notice went out. How can I find out if someone used his identity BEFORE the breach? Otherwise, why would the OPM send this in my son's name when my husband is the one who worked for the military.

Go to opm.gov for the most current information.

On 10/19/15, the OPM site says that if you get a letter and PIN code from OPM, it means OPM determined your Social Security number and other personal information was stolen in a cyber intrusion involving background investigation records.

OPM is offering identity theft protection services to the dependent minor children of affected adults, if the kids were under age 18 on July 1, 2015.

If you or your children are affected by the breach, you automatically get identity theft insurance and restoration services. You can also enroll for identity and credit monitoring services.

Use the information in your letter and at opm.gov to learn more.

Hi Bridget - your comment and the OPM letter and the OPM website all say that the protection is extended to children who were minors as of July 1st 2015. However, the ID Experts website will not allow you to enroll a minor child if that child has turned 18 since July 1st. Is there a way to confirm that children in this category will receive their own letter?

I just got may letter in the mail yesterday, read all available information on OPM/CSID had available about both Cyber attacks and read this whole page of comments and concerns still with no trust in this whole ordeal. Early this year I had my bank card used by an unauthorized individual in a different state within hours of using it myself, my account completely zeroed out and yet cleaned up that mess myself within the same week, so why should anyone trust another THIRD-PARTY company to take care of it for me, that hassle made me redo everything of importance then and now yet again do to this, so why would I go through yet more THIRD-PARTY's to keep my INFO safe when the Second-Party couldn't do it in the first place, to me the more people who put their trust into the cyber-security system the more people get hurt by it, I do personally believe more could come out of this but why should I take another risk with something I may regret. And to Ms. Bridget Small I have read all comments on here and there is no new information as of this post that I need to now I have looked into both OPM and CSID and read all available information they had/have on current subject as well as changing all my security that was in place, but I do appreciate your concern in helping others find the Information to help themselves.

OK, I got a snail mail letter last week about this. Apparently, the government could not adequately safeguard my PII.I'm now supposed to go to a dot-com website and provide a bunch of PII to them? I don't think so...

So let me get this straight. OPM was breached and lost my information. They have contracted the services of protecting my identity to a vendor which would like me to enter personal information onto a website to be stored in a database for my "protection". I don't see how we can possibly win in this cyber war.

I read many comments about 18 months. My letter received months after the breach said 3 years. I must really be in trouble. Also I did not pick it up here that there were two different letters that were almost indistinguishable and I could not tell what difference it made. One was to people whose fingerprints were stolen and one not stolen. What is the implications of the differce?

I rec'd the notification from OPM along with a PIN. The PIN did not work with the online sign-up...called the number in the letter. I was on hold for a long time, then connected to a guy with a heavy accent...LOTS of background noise...PIN didn't work for him....said I would have to speak with (?can't recall) for them to verify my identity. He read a TON of questions I would have to answer...Personal, private info. - I hung up! Tried the PIN a week later online...same issue. This is a very poor way to handle our privacy & identity breach!!!

I also noticed that on this letter I got from the "untied states office of personnel management" is that there is not date on the letter as being a military personnel I'm very wiry of being scammed but where is the date

Go to opm.gov for the most current information.

As of today, the OPM website shows examples of the two different letters it sent to people. There are two different letters becuase there were two separate breaches of information.

Go to opm.gov and look for the sample notification letters included as "Things You Can Do Now."

I went to the OPM.gov website and when I click on the cyber security link and it takes me to "MyIDCare". I see everyone mentioning the monitoring will be through CSID, so why does the link on OPM.gov take me to MyIDCare?

Go to opm.gov for the most current information.

There were two cybersecurity incidents at OPM. The first breach exposed people's personnel data. OPM sent letters in June 2015 to people affected by the first breach. OPM worked with CSID to notify people about the first breach and to help people get services.

The second breach involved people's background investigation records. In Septemer 2015, OPM started sending letters to people affected by the background investigation records breach. If your information was affected by the second breach, you can sign up for services from My ID Care.

I received a letter today in the mail. Mine says to go to opm.gov / cybersecurity to enroll in the identity monitoring services. The only problem is. It asks me for my personal information like my SSN. How can we trust a web site that we aren't sure about? How do we know it isn't a scam? I think I will just pay someone to monitor my credit/identity. Does anyone know for sure if this is legit?

If OPM sent you a notification letter and PIN code, that means OPM determined that your Social Security Number and other personal information was stolen in a cyber intrusion involving background investigation records.

If you were affected by the breach, OPM is providing you with identity theft insurance and identity restoration services. You don't need to sign up to get these services.

If you want the additional services that OPM will provide, you get them by signing up for My ID Care. OPM spells out how to do this on its website.

In general, if you want a company to protect your personal information, you have to share your personal information with the company, so it protects what you want protected. Whether you use services OPM makes available, or use services you choose and pay for, you will need to share your personal information.

My letter has 5 pins...why?

I have just received the letter from OPM.GOV too. I'm doing my investigation what it's all about.

You have just convinced me not to sign up with any services of that company, Bridget (or whatever you name is). Just read what had wrote. ", if you want a company to protect your personal information, you have to share your personal information with the company," I'm 100% sure it's all fraud.

The company sends you the "oficial letter" with a "PIN". The company claims that it is protection and WILL protect your PPI. BUT....HOW CAN YOU CREATE THE CASE concerning personal information that had been stolen if the company DOESN'T HAVE your personal information at all AND ASK YOUR SSN? ))))

What kind of government security protection agency is that if it offers you the service of protection and claims that your PPI had been stolen and it's monitoring that but actually DOESN'T HAVE your personal information on file? ))))) It's a scam. Be aware!!! The actual agency which has a case about you doesn't need any personal information and it doesn't offer you additional protection if it can protect you. THINK ABOUT IT

If you recently got a notification letter and PIN code from the federal Office of Personnel Management (OPM), not a private company, it means OPM determined that your Social Security Number and other personal information was stolen in a cyber intrusion involving background investigation records.

If you're in that group, OPM automatically offers you identity theft insurance and identity restoration service, but that doesn't mean OPM carries out the insurance and identity restoration functions.

OPM offers you the services, but other entities provide the services. You would use the services if your identity was compromised or you had expenses for restoring your identity.

If you choose to sign up for the additional services (credit monitoring and identity monitoring) you would provide personal information so the company could monitor your accounts.

If you don't choose to sign up for additional services, you still have access to the identity theft insurance and identity restoration services OPM offers.

The simple questions are.
Why the OPM offers the additional services? Why all protections can't go implicitly? Why anybody needs to sign for the additional services? Does it cost extra money? If OPM and the Government want to protect you and it has an insurance then why doesn't monitor you credit files automatically? All your financial accounts connected to your SSN and current address, name, etc. If OPM knows that your PPI had been stolen and has an insurance for you why do you need to ask for some additional service?
The second simple question is.
Why does the additional service ask for your SSN? If OPM knows that your PPI had been stolen then OPM ALREADY KNOWS your SSN. Otherwise how does OPM know that it had been stolen? )))
If some "protection" company that sent you a letter that your PPI had been stolen doesn't know your PPI then how does OPM know that it's stolen? How does OPM created the case about stolen PPI if it doesn't have that PPI? )))))
Sound as a BS

I looked at the OPM website extensively, Bridget, so I know what it says.
I got my letter Nov 14. It says my "fingerprints were likely compromised." I didn't feel the need to look at the two different example letters on their website. What kind of ignorance is that, anyway?

I checked out ID Experts' website, and it looks like another gov't vendor providing worthless service at great cost to the taxpayer. There was even a Better Business Bureau complaint on ID Experts. What kind of national cyber-security firm joins the local BBB, anyway? After reading all these comments, I'm not signing up with ID Experts. OPM initially used another vendor--CSID--who proved worthless; and I imagine that's the case with ID Experts, too.
May God protect all of us who were victimized. The US government is not gonna do it; that's who made our personal and our families' and friend's personal information available to terrorists and thieves.

Bridget: If we signed up for CSID after the first breach, should we sign up for myIDcare as well? I received a letter several months ago then signed up for CSID. I just received another letter saying I should sign up for myIDcare. Do I need both or does CSID do everything myIDcare does? Thanks.

You can choose whether to sign up for the services OPM is providing.

You may want to check what services CSID offers, what services My ID Care offers and whether they are the same or different before you decide if you want to sign up.  For example, how long does a service last? What does it cover?

Bridget, if you are who you say you are, then you should know that parroting the same words over and over is not doing a thing to reassure us. Clearly, we've all BEEN to the OPM site and are still suspicious! I for one would love verification from a REAL authority that this is not a scam. You're only adding to our skepticism.

 laburke -- People may reach the FTC site because they searched for a word or phrase. They may read one article, one blog post, or maybe just a few comments -- maybe only one comment.

Our responses are designed to help as many readers as possible, including those who read only a little. If you read many FTC articles, blog posts, comments and responses, you'll see some information repeated.

If you want more information than you found on the OPM and FTC sites, you may want to contact your agency's Chief Privacy Officer.

I received my postal mailing today and after reading these posts I'm not sure about all of this either. If my fingerprints,personal data, etc were compromised why then do I have to give all of that to some contractor...shouldn't they have that info already? Also, how much $$ damage will the government pay for any stolen or charges not made by me? Seems like the companies that you pay for this service will then back you for a certain amount of $$. Let me guess how much they will back me if I have some fraudulent charges....

Go to opm.gov for the most current information.

As of 11/20/15, the OPM website says it will provide two services through ID Experts for the next three years to people affected by the background investigations breach. You don't need to sign up or pay for these two services.

1. Identity restoration service: If your identity is compromised, representatives from ID Experts will work with you to take steps to restore your identity.

2. Identity theft insurance for impacted individuals and their dependent minor children. The insurance became effective on September 1, 2015 and the coverage includes all claims submitted on or prior to December 31, 2018. The insurance covers you for expenses incurred in restoring identity and is valid for amounts up to $1,000,000 with no deductible.

OPM offers other services to affected people. You have to sign up for those services. Learn how on the OPM website.

Sooo, if you provide me with a 25-digit pin and then ask me to input the last 4 of my SSN, shouldn't that populate my information on subsequent pages? Why would I be required to provide additional PII, i.e. my entire SSN and date of birth, if you already have it to begin with? Why provide me with a pin at all? Why even ask for my last 4 digits only to request the entire SSN on the following page? If this is a legit site/program then its execution is extremely poor and instills zero confidence in the service provider. Additionally, the fact that you're going to send me a letter on a single sheet of paper that's glued together doesn't seem like a safe and secure way to address the issue of identity theft. And why when I click on the contact tab on the myIDcare site does it only provide a mailing address and the URL? Does anyone really work there? And why is Bridget Small the only one anwsering to this thread and why are her posts the same everytime? People want anwsers, not programmed responses telling us to go to a website.

Yes, I received that letter, and do not have time to figure out what it means, but at least if something suspicious occurs I know where to notify about it.

I agree with everything you just said. I just got my letter today and I'm hesitant to even put any info in. Even if it's legit, obviously they're handling it the wrong way. They let our info get stolen when it should have been secure (I mean come on government, if you can't protect your citizens information how can you do anything right...?) and now they want us to go onto some website to put all the personal info into a completely different internet database. This whole thing is ridiculous.

Just got the letter. PIN number did not work! Doesn't surprise this FORMER Oracle DoD developer who left because of having to deal with incompetent FEDERAL employees. Makes me sick that my very personal info was stolen. I doubt that I will be working for the DoD after next year because my clearance will be due a renewal, and why should I update my info for the Chinese?

I just rec'd a letter saying my fingerprints were compromised, but the odd thing is, is that the letter was addressed to my maiden name, which granted, was my name when I hired in, but the letter was mailed to my parents address. I wouldn't have used that as an address when I as hired. I used my own address. Very odd. I'm definitely hesitant to give any of my information to ID Experts. I already gave it to CS ID.

Bridget Small it appears from your repeated posts you may work for OPM or their ID Experts - Was this Breach at OPM only pertaining to Government employees? Does it include those who are civilians that have had contracts with government offices? The repetition in your posts sounds desperate rather than informative - It seems OPM is clearly trying to solicit their ID Experts, but why should we trust a business that was hacked? In no way am I willing to give person info to anyone over the phone or internet that I have no knowledge of other than a breached company OPM pleading me to do so - I don't believe it.

Dear Reader,

I work at the Federal Trade Commission.

As you'll see in our commenting policy, this is a moderated blog: FTC staff review comments before they're posted. We respond to questions and provide links to related information where possible. Because OPM is the primary source for information related to OPM breaches, I suggest that people go to the OPM site for the most current information.

Bridget Small

I JUST received my letter today telling me that my info was stolen. And logged onto the website it told me to enter in the pin and see what I could do about it. It's asking for all kinds of personal info. And I understand that to monitor everything, a bunch of info is needed to prove who I am. But this is a really poor way to go about doing things. Basically our SSN#s and more was stolen from a computer database and we're being asked to enter our info into ANOTHER computer database that it can be stolen from. If my information gets used, I swear I will sue for everything its worth.

If you signed up with MyIDCare, you agreed that any dispute you have with ID Experts will be arbitrated; you waived the right to a trial by jury or to participate in a class action. See opm. myidcare. com/terms

So do I sign up like the letter says? Or is that a scam? why do they need my whole ss#? Don't they already have it? Help? Confused :(

If you recently got a notification letter and PIN code from OPM, it means OPM determined that your Social Security number and other personal information was stolen in a cyber intrusion involving background investigation records.

If you're in that group, OPM automatically offers you identity theft insurance and identity restoration service.

You can choose to sign up for additional services:

  • credit monitoring
  • identity monitoring

In general, if you want to get identity protection, you have to give information that proves your identity. For example, you might have to give your social security number and other information so a company can locate the accounts you want them to monitor.

I just rec'd a letter in the mail from OPM. I did go to the website provided in the letter: , then I had two choices: to sign up for services or if I want more information. The more information side shows you what your letter is supposed to look like & the services page takes you to another page which explains the letter & there is a link to sign up for services, which takes you to a website:
There isn't anything for this CSID site-noted above, which when I went to it wouldn't accept the PIN number provided on the letter....so I'm super confused & not sure if I should sign up or not.

There were two breaches at OPM. Earlier in 2015, OPM found out that people's personnel records had been stolen. OPM sent letters to those people earlier this year.

In June 2015, OPM found out that some people's background investigation information was stolen. OPM started sending letters to people affected by the background investigation breach at the end of September, 2105.

The letter you got from OPM should explain how to get services to respond to the breach that affected your information.

Bridget Small - I just received a letter stating all of my personal information including finger prints have been stolen. The response to provide identity protection for three years (starting 5 months PRIOR to me receiving the letter) is not an adequate response. With whom do I speak to address this matter? Will this require me to contact my congresspeople? Also, are we restricted to identity protection through ID Experts or can we enroll in a separate service. I'm uncomfortable providing more personal identifying information to a company I've never heard of.

People affected by the background investigation records breach are automatically provided with identity theft insurance and restoration services. Those individuals can chose whether or not to enroll for identity and credit monitoring services provided by the company OPM selected.

You may get additional information from the Chief Privacy Officer of the agency for which you work and the Frequently Asked Questions on the OPM website.

OPM guidelines from OPM letter, in bold: "Please note that OPM and ID Experts will not contact you TO CONFIRM ANY PERSONAL INFORMATION. (emphasis added) If you are contacted by anyone asking for your personal Information in relation to this incident, do not provide it." Very clear. Got it.

First section of Account Creation from "myIDCare (provided by ID Experts)" (quoted from the website): "Personal Information...The following personal information, ... is required to verify your identity..." Violation of OPM guidelines. Must be a scam. Very clear. Got it.

After all, it wouldn't make sense that compromised PII would be used to verify identity, or that OPM would decide to hinge the entire security of this process on a 25 digit PIN, which doesn't comply with the most basic password complexity requirements. Doesn't pass the sniff test. I'll wait for the real OPM letter. I mean, even the free checks I get from the bank have rudimentary anti-counterfeiting measures...

Given the set of victims of this negligence induced breach, I would expect the OPM to provide 1st Class, no expense spared mitigation.

To check whether the letter you received is from OPM, you can refer to the OPM website.

The OPM website includes images of the letters OPM sent to affected people. Follow this link to opm.gov and scroll down to "Actions You Can Take Now."

Of course all this makes sense, if you assume that OPM is run by idiots.

How can I verify if my ex-spouse and/or children are victims of the background investigation breach? Please note that any address, email, and phone contact info is out-of-date.

Is there a site (or, God forbid, phone number) to check to see:
1) whether their SSNs were compromised
2) whether, and to what extent, they are covered by the credit/identity monitoring services.

Go to opm.gov for the most current information.

The OPM site has questions and answers for people affected by the breach. There is information about spouses & family members.

If you were affected by the background investigation records incident, you and your dependent minor children are entitled to certain services from OPM. The resources on opm.gov  tell more about what's available for people who were affected.

I received a letter, and enrolled with MYIDCare; my fiancée' also received a letter. This confuses me since she is neither a service member, nor is has she ever been a federal employee. I did list her on my most recent security reinvestigation form, but no SSN. What information could have possible been stolen from someone listed on that form? Do I need to contact my other civilian references and tell them to beware of ID theft?
I'll standby for an answer before she signs up, and provides info to another database that can be hacked. This sucks!

You can get the most current information from opm.gov, or check with your employer's Chief Privacy Officer.

As of 11/27/15, the OPM site information has about the spouse/ partner/ family member of affected people:

Some background investigation forms ask for the SSN of your spouse or co-habitant. If you filled out a form that asked that, the other person will get a notification and will be able to sign up for services.

But some forms don't require the SSN of your spouse, cohabitant or other family members. You might have listed a spouse or family member's name, address, date of birth, or similar information, but not their SSN. In many cases, the information you listed is the same as what's generally available in public places like online directories or social media, and generally doesn't create the same amount of risk as if a SSN was exposed.

Here's my problem with this whole thing. You admit my data has been stolen, yet you need my data? Why don't you get it from the person that stole it.

A letter regarding my fingerprints, etc being compromised was just delivered to my home via the USPS.

There was no envelope, it was a letter that was folded in three sections with perforated edges (fold and tear). It shows that it came from OPM Notifications; 4 Columbia Pike Annex; Washington, DC 20370-1004. The Presorted First Class Mail U.S. Postage Paid imprinted (not a rubber or regular postage) on the letter says Indianapolis, IN Permit No 1310.

It has Office of Personnel Management as the letterhead with the phone number 800-750-3004 to enroll\ask questions as well as the website https://www.opm.gov/cybersecurity.

I have never seen or known of the street that this letter came from and find it suspicious and have not called the number or gone to the webpage (although it looks legitimate). Has anyone received a letter like I described?

The federal Office of Personnel Management (OPM) has a web address that ends in dot-gov, showing it is a government website.

You can type that address into your web browser and look at the information about cybersecurity and the breach of personal information. The website shows copies of the letters OPM is sending to people affected by the breach.

You guys had me convinced this was a scam. Glad I did what I did. You should too. Get off this thread and Google OPM. Their website is an official .gov website. On this website they talk about the 2 big security breeches and how they have been notifying people since 9/30/15. They explain the significance of this to you and your spouse, family, etc. And, most important, there is a copy of the official letter they sent out to people. And it's the letter I received.

Don't believe me? Go look for yourself.

I just received the letter (Nov. 27, 2015) about the breach. I had a Government security clearance once, and currently work for a company doing income tax preparation. The hiring process required a background investigation before hiring could take place. Both could be possible reasons for the letter. But sending all the information required via the I-net is troubling. How about a letter to OPM instead?

This just seems like a temporary fix for a long term problem. This is Just a bandaid for the ignorant masses of the affected. OPM needs to do a better job protecting there info sorry ment to say my info. Class action are two words OPM is more than likely not afraid of because of who the are. OPM probably sold all the info for enough to make a monthly payment on the loans from China.

Anyone notice that miss small never replies to those of us asking about suspicious information and circumstances? Also my father had his information "accidentally released" to the public about 10 years ago or so. Yes they offered him identity theft protection but it does no good. Over 10 years my father had had his identity used again and again. What good is a three year coverage plan going to do when you have to spend a lifetime dealing with this crap? My dad tried to apply for a new social but the government refused. Might as well be skipping pennies across a lake.

Might as well sign up not like I have to worry about my I.D. being stolen or any thing like that right? Kind of like buying a car alarm for a car that has already been stolen right?

How do we know the website is even real? Anyone could send out a letter with PIN #s on it and post a copy of what the letter should look like on a fake web page. We then go to their fake website and enter all of our private information thinking it is going to protect us. There has to be a more secure process than this.

I'm giving it a try as I already have had someone in Illinois using my SSN to work and no one in the government nor law enforcement seemed interested in helping when I contacted them. (How would I know if it is the OPM breach?)
My question, Ms. Small, is will be be charged for continuing this service after 18 months? Also, why are the credit scores not offered? (I can see the reports.) Thankfully I already have some other tracking going on to see mine but I do believe people should know it might not be the most thorough site for "one stop shopping".
I sincerely hope this service helps and is being utilized in good faith and not with motive to make money.

If your personal information has been misused, you'll find helpful information at identitytheft.gov.

There's information about what to do right away, how to correct your credit report, how to report a misused Social Security number and more.

Currently, the OPM site says that people affected by the background investigation incident will have services available to you and your minor dependent children at no cost for three years (until December 31, 2018). I didn't see anything on the OPM site about the cost of services after that date.

To stay up-to-date on the news and information, you can sign up for OPM’s cybersecurity email update list.

Any entity wishing to do contract work with the government has to first register with Dun and Bradstreet, which is the most unscrupulous, Brawndo-like corporation in the US. They immediately sell your information after you go through endless hurdles to "opt-out". Why should I think MyIDCare is any different? Further, I believe SAM.gov's disaster of a registration site is maintained by IT techs in India. How stupid is that? There is no reason whatsoever for me to provide my identification details to a 3rd party, which would only increase my vulnerability to identity theft. I wish I'd never gotten a clearance or registered in SAM.gov. If only I'd known what I know now about how our government has sold us out to the highest bidders. Makes me absolutely sick!

The security questions alone make this sound like a scam to sell our info to data mining companies like Spokeo, etc.

I got the letter via snailmail, to day. An immediate red flag for me was that it had a current address, but a previous married name I haven't used since 1977!!!!!

Have NEVER applied for a Gov. or Fed job. Why was my info compromised????

I think this is a big scam itself!!!!

I got the letter as well and not sure either if this is a scam. I am not a government employee. I don't want to be giving out my info either. Not sure where this came from.

Been following this for some time. Looks like a duck... Looks like phishing, must be. I think Bridget may be working for myIDcare. She has been spending alot of her free time from her supposed FTC job promoting this third party. I'm out, and will treat this as a scam! Don't give your information out to anybody that you are not completely comfortable with. We have all been taught to not follow links in email that you are not sure of. myIDcare through OPM is a scam!

If this letter is legit (yes mine looks like the one on the OPM website (an agency I have never heard of) but why was this letter not sent to those of us affected by certified mail? I mean I received a sexual harrassment survey certified mail and it was entirely less important than this issue! I am thinking about taking the letter to my local law enforcement agency to see if they can help.

In reading over the terms of use of myidcare, I can hardly believe that OPM is allowing the terms to be so bad. Even quoting any of the painful terms is against the terms, due to 14 E. In 4 B, they make no warrantee about any information they provide. Considering the reason that we're here in the first place, the worst terms are in 5.A.ii.3 - they are not liable for any failure to store our information. How can OPM be partnering with this company? It is like they are treating us with an evil laugh and "Ha! You're stuck with us, so we can put out whatever offensive terms we want."

I have searched on line regarding this action. In the letter it says that "OPM and ID experts wouldn't ask for personal info". They advise in the letter: "If you are contacted by anyone asking for your personal info in relation to this incident, do not provide it" And that is exactly what they do after you enter the PIN???!!! And it was not mentioned in the letter, that they will ask that. After I read the letter, I thought, oh, that's cool, I just give them that PIN and they will know who I am. I was in a shock they are acting exactly like a phishing scam.
Like the most people, it makes me extremely uncomfortable that after the data breach they ask me to enter on line my SSN, address, DOB.
Even if myIDcare is legit, doesn't OPM already have all our info? Why would we need to expose our info once again? If Chinese were able to hack government info, why wouldn't they hack myIDcare? Either way it is all gamble.

Ms. Small, why does the site we are taken to from the opm.gov page have a .com address: opm.myidcare.com? It is concerning that we are asked to enter ss# and other information on a .com website. Thank you.

The OPM website (opm.gov) has a link that goes directly to the contractor OPM chose to provide services.

You can read more about the contractor and selection process at opm.gov/cybersecurity. Click on the question that says "Who is the contractor providing services for the background investigation records incident?"

1. I find it interesting that only civilian accounts were breached. Suggesting an inside job.
2. Isn't this like closing the gate after the horse has already bolted.
3. This looks like an attempt to remove culpability by our untrustworthy Govt.
3. A class action Suit should be in order.

oh i think this is wonderful!

if you are screening the comments then you are acting illegitimately. Govt betrayal once again!

I just received the letter. I have never worked for .Gov, but applied for TSA precheck, which includes a background check. Could this info be included in the hack? If that's the case, we have a much greater problem. Thousands of civilians are now vulnerable to this cyber incompetency! I will wait this out until I have more info.

I received a letter, checked the OPM www site, and after initially logging in I found it wanted waay too much personal info.

I'm too uncomfortable about this. They have my info they can monitor this themselves, I'm not going to fill anything out. If I'm breached, they still need to fix it.

I received my letter today, 12/4. I did hold a civil service job for a short time earlier this year and also applied for another civil service test a few months ago. I'm confused because the letter was addressed to my married name and I've been divorced 25 years and ex deceased 21 years. When was my info stolen? Should I expect this letter in my current/maiden name?

Go to opm.gov/cybersecurity for the most current information.

The OPM site has copies of the letters it sent to people. There are different letters for people whose finger prints were - and weren't - compromised.

The site also says that OPM tried to locate the best address for people who were affected by the incident involving background investigation records. Unfortunately some letters have been mailed with old addresses or names.

there is a strong irony in giving so much information on the web because your information on the web was breached. Nevertheless, the letter with the five grouped pin number and the opm web site worked fine. I got credit report from all 3 services and will get email notices of any future breach.

also, free identity theft insurance

My son calls me this morning from NY that he has received a letter with Mom's name (over FL) and his NY address, from opm.gov with pin number. Advise Mom to contact with IDExpert. I have a basic question how could the Name and address scrambled in this letter? OPM.GOV and ID Expert are really doing any thing? Apparently, you have provided more personal information, i.e date of birth, etc to register. By the way, do you have to pay a protection fee to this IDExpert for their service?

Go to opm.gov for the most current information. There's information there about what to do if you get a letter in the wrong name, or with other mistakes.

In general, if you want someone to protect your personal information, you have to tell them your personal information so they know what to protect. You are not required to enroll in the services OPM is offering. If you choose to enroll in credit monitoring and identity monitoring, you will provide information so the company can monitor your information.

The federal government is providing the services to affected individuals for a certain period of time. While the government provides you with the services, you don't pay for them.

Domain opm.myidcare.com data: Registrant Name: Identity Theft Guard Solutions, LLC Registrant Organization: Identity Theft Guard Solutions, LLC Registrant Street: 10300 SW Greenburg Rd Registrant City: Portland Registrant State/Province: OR Registrant Postal Code: 97223 Registrant Country: US Registrant Phone: +1.9712424704 =================================== Bottom line: it's marketing scheme to involve people into the paid service, which is really not needed because major credit cards provide it for free + everybody can get the free credit report once per year. Not sure if it's a fraud (besides masking as federal service, again not sure if it's a crime) but definitely scum. Period.

If you were affected by the breach of background investigation records, OPM is offering you, and any of your dependent minor children who were under the age of 18 as of July 1, 2015, credit and identity monitoring, identity theft insurance, and identity restoration services through ID Experts.

If you choose to enroll in credit and identity monitoring, the government will provide the services for a certain period of time.

You are not being asked to pay for the service during the time the government covers you.

Credit and identity monitoring are different from the loss protection you have on your credit card. If your card is used without your permission, you can be held responsible for up to $50 per card.

You can get a free copy of your credit report, at your request, from each of the three largest credit reporting companies once every 12 months.

Each of the domain names are registered to one guy, Chris Kane. What security company would allow that? Even if Admin and Tech? And this guy has about nine different domains with the same category. Not doing this.

Admin Name: Identity Theft Guard Solutions, LLC Admin Organization: Identity Theft Guard Solutions, LLC Admin Street: 10300 SW Greenburg Rd Admin City: Portland Admin State/Province: OR Admin Postal Code: 97223 Admin Country: US Admin Phone: +1.9712424704 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: chris.kane

Never fall prey for FREE GOVT anything! Too incompetent let them steal my credit! They will get laughed at.

You need to give more exact identification info. Is opm.gov real? I got a letter, not email from them. They seem to want more personal info-a sure trouble sign. this is a real poor way to deal with info security!!!

OPM.gov is the website of the United States Office of Personnel Management. It is a federal government website.

You will find a great deal of information about the breach and the services OPM is providing to people affected by the breach at opm.gov/cybersecurity.

You are not required to provide personal information. If you choose to enroll in the additional services OPM is making available, you will give personal information to enroll in those services.

Got this letter in the mail today 12/5 does anybody have any new info on this breach

You will find a great deal of information about the breach and what OPM is doing for people affected by the breach at this federal government website: opm.gov/cybersecurity.

That is a website of the Federal Office of Personnel Management.

If you received a letter in December, it is probably about the breach of background investigation records. Look for information on the OPM site about that breach.

Is the recommended monitoring Co. MYIDCare for real for our breach for 3 years for free? ligidiment Why can't the government change 2 # on our SS# with our permission, this would solve the problem

the myIDcare is just a way to get you waive your rights in a class action lawsuit. Read the "terms of Service" BEFORE you check that box!:

THESE ARE THE TERMS OF OUR AGREEMENT WITH EACH OTHER. ALL OF IT IS IMPORTANT SO TAKE A FEW MINUTES TO READ IT CAREFULLY. BY ENROLLING AND THESE SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO THESE TERMS AND CONDITIONS.

THIS AGREEMENT CONTAINS AN ARBITRATION CLAUSE AND A CLASS ACTION WAIVER.

YOU UNDERSTAND THAT BY ENROLLING IN THE MYIDCARE PROGRAM FOR OPM (THE “OPM PROGRAM”), YOU ARE PROVIDING "WRITTEN INSTRUCTIONS" IN ACCORDANCE WITH THE FEDERAL FAIR CREDIT REPORTING ACT, AS AMENDED ("FCRA"), FOR IDEXPERTS, CSIDENTITY CORPORATION (“CSID”) AND THEIR RESPECTIVE SERVICE PROVIDERS, WHICH MAY INCLUDE CONSUMERINFO.COM, INC. (“CIC”), TO OBTAIN INFORMATION FROM YOUR PERSONAL CREDIT PROFILE FROM EXPERIAN, EQUIFAX, AND TRANSUNION, THE THREE MAJOR CREDIT REPORTING AGENCIES. YOU AUTHORIZE CSID AND ITS SERVICE PROVIDERS TO USE YOUR SOCIAL SECURITY NUMBER TO ACCESS YOUR PERSONAL CREDIT PROFILE, TO VERIFY YOUR IDENTITY, AND TO PROVIDE CREDIT MONITORING, REPORTING AND SCORING PRODUCTS AND TO PROVIDE THE ADDITIONAL PRODUCTS AND/OR SERVICES TO YOU, INCLUDING, BUT NOT LIMITED TO, ADDRESS HISTORY REPORTS, NAME AND ALIAS REPORTS, CRIMINAL OR SEX OFFENDER REPORTS, AND TO PROVIDE MONITORING AND/OR ALERTS TO YOU.

I'm guessing that Bridget Small is part of the scam. Do not believe her. Do not give out your personal information on their website.

 Johnnyk -- I'm sorry you guess I'm part of a scam. I'm not. I'm a federal government employee, working for the Federal Trade Commission.

The FTC provides this free blog and consumer education on dozens of topics in English, Spanish and other languages to help people spot and avoid scams.

I work for the FTC, not OPM. You'll see that I usually refer people to the OPM site for more information, because OPM is the agency that's helping people affected by the breaches.

If your information was exposed in a breach, you can read about what to do at indentitytheft.gov, or look at the questions and answers on the OPM site, or contact the Chief Privacy Officer at your agency.

You just repeat yourself, that's what you do.

Got this letter in the mail-box today ( 12-7 ), looks like Trouble DeLuxe to me. Think I'll be better served to run it thru the shredder and MOST Certainly don't call that 800-750-3004 phone number ! ! ! This whole dang deal smells like a dead skunk on a hot August afternoon !!! The little bird on my shoulder is saying " RUN !!! NOW ! ! ! "

FYI. If you've placed a security freeze on your credit with the credit agencies you can't complete the registration process. I didn't see any notice of this before or during the signup process and there's no mention of it anywhere that I could find. They should inform you of this *BEFORE* you enter all your personal data. The process fails telling you to call the 800 number after you select a user ID and password. Calling the number and entering the PIN and last 4 SSN they put you on hold for 5 minutes and then tell you the lines are full and disconnect.

My spouse and I both received letters from OPM. First thing I noticed was no middle initial in either of our names. I worked for many years in the federal government and NEVER saw official correspondence without middle initials.

I recieve a physical mail from US postal i called BBB to see if yhe number was legit and they have no record of couldnt even direct me to an official government BBB to confirm its authenticity so im tearing it up and tossing into the garbage and contacting my local LifeLock company in the morning . Please beware sounds like a scam for real

The federal government has a website that explains the data breaches that affected many millions of people.

Go to opm.gov/cybersecurity to see samples of the letter the Office of Personnel Management (OPM) is sending to people whose information was exposed.

If you are affected by the breach, OPM will provide you with free identity theft insurance and identity restoration services. OPM is also providing you with credit monitoring and identity monitoring if you choose to enroll.

Received same letter yesterday and never worked directly or indirectly for the government. Worked for A nonprofit and needed access to VA hospitals and access to a military base in my area so background check was done. It is hard to wrap my head around how my government managed to lose my personal information and is only willing to help (if I so chose and give up some rights in the process) for a few years with credit monitoring when what they have lost could be used to destroy my credit until the day I die. Even if I decide to sign up for the free service, this is only a bandade and what a bonanza for the vendor who after the government stops paying for the service (with our tax dollars by the way) to continue the coverage, we will need to pick up the tab. The government caused this problem, they should consider making it right with lifetime protection or new SS numbers. I would bet new SS numbers for all involved would be less expensive than the credit monitoring.

Why is the myidcare website failing HTTPS?

Everybody on here would probably agree this is a HORRIBLE way for the US govt to handle a security breach. Unbelievable, well not totally, but definitely sad. Beth F Cobert should be embarrassed and re-evaluate this process. Wait, here's an idea... let's instill confidence with the victims by asking them to provide the very same personal info that was hacked, and do it by directing them to a website (company) who will not be able to prevent a problem from occurring. From what I can deduct from this mess is myIDcare may, or may not, help put the pieces back together after the damage is done. It's only applicable to victims who suffer a loss over this whole mess. The way I see it is the govt is putting people at risk of being hacked yet again by putting the information out there yet again... It is odd the FTC leaves Bridget Small to deal with the mounting concerns and skeptical victims. I was speechless at first, but now I'm totally confused, frustrated, and upset. Nice work!

Thank you, my sentiments exactly.

Like many of you, I too had my suspicions. My last name had a typo error so I thought this is scam. I just came off the phone with OPM agent, where I was able to apply over the phone. The phone process took about 12 minutes. I did not use the phone number in the letter, I went straight to their website and took the number from there. There were many other things I read on their site before determining this was legit. THIS IS THE READ DEAL!!! I started signing up on the net but got to a point where they asked me for my entire SS number so I stopped. The info needed on the net is just what they needed on the phone. The instructions on the letter is safe to follow. I had to provide the agent with the pin number from it. Hope this clears up things for those unsure.

It might be the real deal, but it is scary that now the same data that was compromised in now in yet another database! And worse my wife's letter has an invalid PIN so she cannot sign up. Both mine and her's are valid letters from OPM. The 18 months also means nada since all the bad guys just need to purchase and hold on to the data until January of 2019 and proof we are left in the wind. Unless you purchase, for an extra fee, additional monitoring.

I'm convinced that the letter I received is legit. I am, however, concerned with the amount of information required to be submitted over the internet, even thought it is an https site. 'm not sure if there is a more secure method of enrolling , though.

Questions for Bridget:
How long does the free coverage last?
How much will it cost once the government stops paying?

It seems these answers should be readily available if anyone at all has any kind of plan to protect those affected. Otherwise, I'd agree that this is just a patch or band-aid to temporarily placate those affected by the government's inability to protect us.

The OPM website (opm.gov) has the most current information.

The questions & answers at opm.gov say that if you were affected by the breach of background investigation records, your identity theft insurance and identity restoration coverage began on September 1, 2015 and will end on December 31, 2018.

You'll have to ask the company that provides coverage about its costs.

Ms Small, Can you answer the other part of the question, how much will coverage cost those of us not responsible for the information leak cost us after the 31 December 2018.

No, I can't say what the cost of coverage might be in the future. That information doesn't seem to be on the OPM site (opm.gov). You'll need to ask the company what their costs will be in the future.

Thanks, Bridget.

So if you sign up for the service they are offering you also are signing away any right to sue or join class action suit. Read the terms before you agree.

I received the letter in the mail this past week that my information have been compromised probably from my husband back ground investigation. I've then received a notice taped to my door that a local OPM representative with a local phone number wanted me to call them.their name and # was hand written on an index card size with Opm emblem on it. this seems a little funny to me that someone would come to my door when I got a letter in the mail. I'm wondering if this is a hoax. Or if I should call this person. I have not noticed any other comments on this page that people have had a human come to their door and leave a notice.

OPM is not contacting people affected by the data breach in person. This is a ruse by fraudsters who are out to steal personal information or commit some other type of fraud. Please file a complaint with the FTC about this, so law enforcement can investigate.

the OPM website clicks through to another one at myidcare.com - a commercial site. Is that legit? I feel insecure putting my SSAN into it

MyIDCare is the brand name of ID Experts’ identity-monitoring product being offered to you if you were impacted by the OPM background investigation records incident. Please visit www.opm.gov/cybersecurity/faqs/ for more information.

 

I got a letter today about the breach mailed to my place of work. i never used that as an address for any application. why not send it to my home? I think this si a scam

After reading all these comments I am more confused than ever!!! I received a letter stating that "it has been determined that my SS number and other personal information was included in the intrusion". I have never worked for any Federal agency though years ago, I think I applied for an FAA position, so I am finding this hard to believe. Bridget Small-FTC, is there a brick and mortar Federal agency we can visit to verify the legitimacy of all this?

i never worked for gov. why am I getting a letter.in 2002 i worked for a trucking company,did background check for hasmat permit.

There were two breaches of OPM files. If you got a letter in December, it was probably about the second breach, a breach of background investigation records.

The OPM site (opm.gov) has questions and answers for people affected by the breach. The site says that if you had a background investigation through OPM in 2000 or afterwards (and submitted forms SF 86, SF 85, or SF 85P for a new investigation or periodic reinvestigation), it's very likely you were affected.

You might be also affected if you are a: 

  • Current or former federal government employee
  • Member of the military or veteran
  • Current or former federal contractor
  • Job candidate required to complete a background investigation before your start date
  • Spouse, co-habitant, minor child, close contact of any of the above groups (because someone might have listed you on THEIR application)

I Don't think this is legit. the letter sent to me sent a pin number. and once i went to opm.gov/cybersecurity. it requested my last 4 of my ss. once i entered it, it should have automatically populated me personal info they have on record. Had they dont that i would have known that they actually are who they say they are. instead they want more info on me. If they have been compromised, what assurance do i have this site is not really the malicious cyber intruders?
i say if (OPM)is sending me this letter and they sent a pin number and i give them my last 4 of my ss. (OPM) better be able to show me proof of what they have on file on me before i consider providing more info, instead of me filling in the blacks for them. I say beware!!!!!!!

Go to opm.gov for the most current information. OPM continues to add new information to the site.

The OPM site says that if you were affected by the breach of background investigation records, you will get a notification letter with a PIN code. The PIN will be used to check if you're eligible for the services OPM provides.

OPM did not give your personally identifiable information to ID Experts. That's to protect your information.

You give the PIN and last 4 digits of your Social Security Number to ID Experts because that's the only way it can check to see if you're eligible for services.

After you give the PIN and last 4 digits of your Social Security number, OPM uses a one-way algorithm which has to match what you tell ID Experts before you can sign up for services.

Received my letter this afternoon. Went through the 25-digit sign-up process, it completed successfully. Logged out of site.

Received a welcome email from MyIDCare.com a few minutes later that directed me to login. Clicked the link that brought me to a page saying that my device was not recognized (the same computer I created the account on) and that a passcode would be required. Passcode arrived by text message. Entered it into myIDcare Identity Verification page and press "verify passcode" A minute goes by, ywo, then an error page pops up titled "Server Error in '/SecureAuth1' Application" A section title "Object reference not set to an instance of an object" than a JavaScript stack trace. Have gone through this twice with same result.

Called the help line. Agent told me to enter pin into the passcode field. Told agent it was a 6 digit passcode not the PIN. Agent said she would transfer me to tech support, then hung up on me.

Called back again. This time an agent who was very efficient, transferred me to tech support: 20 minute wait time. Talk to tech support agent, very nice man, who tells me that there are too many people trying to access their servers and they don't have the bandwidth to handle them all.

Ask him why if Amazon can handle the all of the holiday traffic, the U.S. government and its contractors can't? He says that he's asked the same question and received no answer. He tells me that on Black Friday Amazon handled 10 million connections without an error.

I know that Amazon offers cloud services based on the same cloud services that they use to handle their transactions. I know Google and Microsoft offer similar services. So the question remains, why can't the U.S government, with the vast resources provided by our tax dollars, not do what Amazon, Google and Microsoft can? Those companies, and others, offer cloud services that would be a better use of tax dollars than the current broken myIDcare system. On those cloud systems you can even specify that the services and data remain in the United States, and at specific locations in the U.S. There really is no excuse for a smaller version of the Obama care sign-up fiasco.

I just received my letter today Dec 13 2015. In my maiden name when I worked for the post office I was and have been using my legal married name even now after a divorce. I haven't used my maiden name since 1984. I'll be taking this letter to fbi cyber crimes,and then to a lawyer for a class action case.Govt gives my info and FINGERPRINTS away.and only wants to do 3 yrs of free sercurity Get out of here.

I received the OPM letter with a PIN. However,

1. It was sent to a colleague's address, not mine.

2. It did not use my middle initial in the salutation.

3. The web site listed (opm gov/security) did not load.

4. The letter said I could call 1-800-750-3004 to "ask questions", but when I did, there was no opportunity to ask questions, only to register with my PIN. With all of these red flags, how do I know this letter is legitimate? Thank you.

Go to opm.gov for the most current information. You can also contact the Chief Privacy Officer at your workplace.

The OPM website has a lot of information for people affected by the security breaches. The site says that the government tried to locate the best addresses for people, but some letters went to old addresses or names. If you think a letter was meant for you, you can use the PIN in the letter if you want to register for identity protection and credit protection.

OPM is using this address: opm.gov/cybersecurity

Thanks. I managed to use the letter to register and it seems fine.

A small 'note' was left on my door. It was "OPM Form 1634." It asked that I contact an OPM investigator at the phone number shown. Is this legitimate and how can I confirm this?

OPM's agents will leave OPM Form 1634 at the residence of contacts. Individuals can verify the status of an OPM investigator by contacting FIS Security and Safety Team at 888-795-5673 or fissst@opm.gov.

wondering why I didn't get an email at work where the security screen all began. There is a crew of security experts onboard and we never heard a word about this from them. Certainly don't feel comfortable giving out ssn along with DOB and name. Easy to access anything with that info. I am with others with the thought that they already have all this info, so why try to extract it from us. The letter said no one would "call" looking for this info. QUOTE from letter: If you contacted by anyone asking this info, don't give it to them." Good guy, bad guy tactic? I will check at work before proceeding. Surely everyone in my office must be getting the same letter.

Go to opm.gov for the most current information.

The OPM site will answer many of your questions.

OPM is sending letters, not email, to affected individuals.

You are not required to enroll in services. You have a choice about whether to enroll in the credit monitoring and identity monitoring OPM will provide. If you choose to enroll, you do not have to provide your full SSN.

Bridget, how many have signed up so far?

I don't know how many people have enrolled in the credit monitoring and identity monitoring services OPM is providing.

Hi, Has anyone else (After signing up for services) receive emails from IDCare Experts every couple of weeks saying there is an alert on your account, only to log in and there are no alerts? Sounds suspicious or their alert services keep posting false positives! Thank you

I received a letter and signed up. As far as I can tell, the service is legit. If MyIDCare is a scam, it's incredibly elaborate and expensive. I'm impressed with their website and services so far. I'm amazed at all the paranoia, distrust, and whiners here. You think this is the only security breach that has happened or will happen? Get used to it. Just like crime in the streets, ID theft is a fact of life on the Internet. Good luck trying to sue the government.

I'm not a Federal employee but just got the now infamous OPM data breach letter a couple days ago. At first, like most people here, I thought it was a scam. Not being in the Federal Government, I had never heard of OPM and thought it stood for Other People's Money. This added to the hoax factor. Then I did a lot of reading and came to the conclusion that this really happened and this letter is real.

Why me? I narrowed it down to a seasonal job I took with the IRS 11 years ago. They did a thorough background check on me which included fingerprints. Yes, folks-our government doesn't purge their database!

We're all in a mess and it's obvious that our government needs help otherwise their database wouldn't have been breached twice. Hence, the need for a .com IT place. I also imagine that current laws protect our data so that we have to willingly give our PII to anybody else rather than the government just handing it over to anybody. So, these things I understand. What I don't understand is why ID Experts was chosen. Are they the best out there at protecting our identities or were they just the low bid contract?

My letter from OPM indicates that ID Experts is the company that will provide identity theft protection. Is this the same as IDC? I haven't signed up for anything yet because I'm still being very cautius.

Go to opm.gov for the most current information. You'll find answers to many of your questions on the site.

The OPM site says that people affected by the background investigation records breach will get services through ID Experts. The service that ID Experts gives is called MyIDCare.

Pages

Leave a Comment

Comment Policy

Read Our Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.