OPM data breach – what should you do?

Update (December 9, 2015): OPM discovered a second data breach that affects federal employees, contractors, and others. If you received a letter from OPM, please visit opm.gov/cybersecurity to learn more about what happened and to sign up for free identity protection services.

A data breach at the Office of Personnel Management (OPM) – and you’re a current or former federal employee whose personal information may have been exposed. What should you do? Take a deep breath. Here are the steps to take. 

First Steps

  • Check your credit report at annualcreditreport.com. Look for accounts or charges you don’t recognize. Even if the breach didn’t involve credit card information, thieves may use your Social Security number, address and date of birth to open accounts in your name.
  • OPM announced that it plans to offer credit report access, credit monitoring, and identity theft insurance and recovery services to potentially affected individuals. Take advantage of this offer.
  • Place a fraud alert on your credit reports. With a fraud alert, businesses must verify your identity before providing new credit. An initial fraud alert lasts 90 days but you can renew it.    

Next Steps

If your information was exposed, then OPM will send you a letter explaining what information was involved. Your next steps depend on the type of information exposed:

Social Security number

  • Consider placing a credit freeze. Why? Thieves can use your Social Security number to open new accounts. With a credit freeze, no one can open a new account in your name (until you lift the freeze).
  • Next year, try to file your taxes early – before a scammer can. Once your Social Security number is exposed, a thief can use it to get your tax refund.

Bank account, credit card, or debit card information

  • Contact your bank or credit card company to cancel your card or close your bank account. Request a new account number.
  • If you have automatic payments, update them with your new account number.
  • Review your transactions regularly to make sure no one has misused the account.

 Online login or password

  • Log into the account to change your username or password. If you can’t login, then ask to shut down the account.
  • If you use the same password elsewhere, change that too.

For updates about the breach, check OPM’s website. For more information about what to do after a data breach, and a handy checklist of steps, visit Identitytheft.gov/databreach.

Remember to continue checking your credit report at annualcreditreport.com, in case information is misused in the future. You can order a free report from each of the three credit reporting agencies once a year.

If you discover that someone is misusing your information, you’ll need to take additional steps, including filing a complaint with the FTC. IdentityTheft.gov walks you through those steps – because recovering from identity theft is easier with a plan.   

Comments

Is this impacting retirees and recipients of death benefits?

Former federal employees could be affected. OPM's website says that beginning on Jun 8 and continuing through June 19, OPM will be sending notifications to approximately 4 million individuals that could be affected by the breach.

How do I delete my idcare account I think its all fraud how do I delete

MyIDCare is what is being used to protect you, it is not fraud.

I'm still USMC wife of 13yrs, & I'm a Former Goverment Contractor X's 2 @ a Naval Hosp Fam Med & did the fingerprint(2002-2005 & 2008-2009), then moved onto the Taxpayer Advocacy Panel w/in the IRS/Dept of Treasury; got another OMB No. Sec Clearance.

Here's my issues: I get this letter, thinking it was my husbands this time. (Note: I have been dealing w/every type of fraud since 2005 & I've been hit 18 times, since before this letter.) Now, I call & I set it all this up, thru IDCare, BAM!! They call me, "Mrs. X, your email address, do u not know"? ... You have to have a "Special Pin #", you should have been getting a lot of notices that all your personal information, banking and financial services and medical and more were compromised back around 2003-2004."

"Excuse me"?? I tell them about my cell that was sent to me UN-ReStored & no one will take the blame for it, all the bank charges of fraud & wont pay back, how many yrs I have worked on this, the Government saying no ur SS# safe, when I had to prove I owned it & I have was me in 2005?? I just want to know bc I'm so tired of filing who @ the OPM is personally responsible for not notifying me? My husband is Active Duty, I'm EFMP, their in the same building, or so I heard... Who is going to fix our credit, make the banks, credit card Companies pay us back? Honestly, How many years was I not contacted about this lack of communication & w/my diagnosis's I don't have the energy Renal disease takes it all out of you. Help us plz

If you enrolled in identity protection services after your information was involved in a data breach, you can ask the service to help you respond to problems with your accounts.

You could go to IdentityTheft.gov to report identity theft and get a personal plan to help you respond to problems. You can list the accounts that were affected, and get a checklist of steps to take to respond to problems. You can also get an Identity Theft affidavit and prefilled letters and forms to send to companies and creditors when you report identity theft.

Yes, I have done all that, however, yet nothing is being done to me. Matter of fact I've found that my medical records are missing several years & that I'm still doing everything on my own. Plus I have been informed by DMV, which wouldn't give me any proof, that my SS# & more has been used in other states for DL. I can't make a police report on word of mouth, I have to have written proof for anything to stick. Ty

Please advise if records included previous employment prior to 2000. Recent credit report denotes identity theft has been displayed. Will contact Bank.

OPM's website says that beginning on Jun 8 and continuing through June 19, they will be sending notifications to approximately 4 million current and former federal employees that could be affected by the breach. We don't have any other details right now.

I have been a Fed Employee for 35 years. All my cpo coworkers were notified, but I have not recieved notification from OPM, and therefore do not have a PIN number for the credit monitoring service. There is no instructions or contact info on what I should do next. What do you suggest ?

Does this effect Government Contractors? Secret clearances ?

OPM's website says that beginning on Jun 8 and continuing through June 19, they will be sending notifications to approximately 4 million current and former federal employees that could be affected by the breach. We don't have any other details right now.

A security freeze is advisable to prevent new accounts being opened in victims name.

First and foremost, the OPM is supposed to be, primarily, still on paper. Secondly, how is it that the Federal Government and OPM could allow this to happen? BC&BS, now OPM? Is anything run by anyone safe, anymore. People have been forced into electronic records systems that they have no control over. They have to "trust" the folks in charge of guarding their information. Obviously, our trust has been misplaced. As well, why on God's green earth does all that computer data have to be connected to the web, 24/7. It's as though government and the private sector are begging for a security breech. No system has to be connected to the web 24/7. The whole concept is stupid and naïve. We were at least safe with good old paper.

Joe, you are stone cold RIGHT. I worked with computers for most of my life and what you say is the truth. It's way past time that we "just said NO" to those who constantly demand our personal data without any obvious need. The centralization of personal data in medical records is just asking for trouble. If doctors or anyone else refuse to serve you unless you "give" them your personal data, threaten to sue them.

They give no phone numbers to call? info good but no resource to call.

Additionally free credit monitory from whom? telephone number? identity theft insurance from whom and what is telephone number -

OPM's website says that OPM is offering affected individuals credit monitoring services and identity theft insurance with CSID. Additional information is available beginning at 8am CST on June 8, 2015 by calling toll-free 844-222-2743 (International callers: call collect 512-327-0700).

Anyone notice that these websites aren't even secure no s in http

You understand that https secures the information in the connection and doesnt secure an exploitable server holding the information. Https helps a person communicate with the server securely. It doesnt prevent someone from breaking into the server and stealing information

When my wife got her CSID letter early on, I watched her follow the steps to create a CSID account. We noticed that neither the Safari or FireFox browsers displayed a "lock" indicating encrypted connection. Nor was the site an "https:" site. We bailed. Three weeks later the https and lock indicators were present and she opened her account smoothly.

will the federal employees get a letter about this?my sister=in=law worked for the veterans administration for many years. she doesn't do computers. can I get an answer so I can make her aware of it

OPM's website says that beginning June 8 and continuing through June 19, OPM will be sending notifications to approximately 4 million individuals who could be affected by the breach. The email will come from opmcio@csid.com. In the event OPM does not have an email address for the individual on file, a standard letter will be sent via the U.S. Postal Service.

I hold OPM 100% accountable for the breach. If I become victim of any of the possible implications I will take legal action against OPM and recommend anyone else affected to do the same.

I am wondering if federal employees may take legal action against OPM based on the current circumstances. I don't think the limited free credit monitoring services and identity theft insurance with CSID is enough! What happens when these services are stopped; who pays. What happens when the bad guys start to overlay data from BC/BS, banks and IRS. There is too much at stake here.

I am with you. How can they dare say "We are not liable", when they are totally liable for this breach. With all of the IT people and resources available to the government, how can they justify this.Plus - the original breach happened in April - why notify us in June?

I agree with legal action, if need be. This appears to be a massive problem that could get worse.

How do we know we can trust this CSID service organization when we couldn't trust you, OPM, to protect our information? my understanding from initial reports is that affected individual's social security numbers were not encrypted. That is inexcusable. OPM, you owe us BIG TIME.

We got a notice today from opm saying our information has been hacked. We have never worked for the government. What is going on?

The OPM site (opm.gov) has questions and answers for people affected by the background investigation records breach.

The site says that if you had a background investigation through OPM in 2000 or afterwards (and submitted forms SF 86, SF 85, or SF 85P for a new investigation or periodic reinvestigation), it's very likely you were affected.

You might be also affected if you are a: 

  • Current or former federal government employee
  • Member of the military or veteran
  • Current or former federal contractor
  • Job candidate required to complete a background investigation before your start date
  • Spouse, co-habitant, minor child, close contact of any of the above groups (because someone might have listed you on THEIR application)

Dose this also involve grants

Go to opm.gov for the most up-to-date information.

OPM's message on June 4, 2015 said the incident may affect personal information of current and former Federal employees.

OPM will send notifices to approximately 4 million individuals whose personally identifiable information might be affected by the incident.

Why did I get this email? I have never been a federal employee.

If you got an email with a link to this blog post, it's because you  signed up to get FTC Scam Alerts or other news. 

If you don't want to get these emails and blogs, go ftc.gov/stay-connected and click “Manage my email subscriptions” near the bottom of the page to change your subscription.

Excellent! ThankYou! If necessary We will be ready. Thanks again Jose.

Is this another way of letting the consumer know that even our federal gov't has major flaws when it comes to keeping things under wraps, but harassment when tax time is due or when we reach retirement?

The firewall should have had a brute-force attack shield built in that would take the server down in the event of multiple attempts to gain access. This tells me that an employee was on the inside and activated a trojan horse, or simply acted maliciously. Never click on links that did not originate from the office. I think it is better that no one click on any links at all, thus saving embarrassment like this, and possible harm. Another tip: if you receive an email from anyone, inside your office or outside of the system, that either promises you a reward if you act or threatens you harm if you do not act, and has a sense of urgency in the words, DO NOT OPEN ANY ATTACHMENTS. Instead, DELETE the email, and inform your MIS department or security officer. Any action at all could unlock a trojan horse that could wipe your computer clean, or lay your server open like a gutted fish, allowing outsiders access to your information. BE VIGILANT! That is your job one!

Even if an employee clicked on an embedded link via email or other, the IT security config. should have blocked and or prevented connecting it. It was more that just a simple re-direct and they knew of the vulnerabilities via internal audits and took no action to fix their IT security issues. The Head of IT and his/her Boss should be fired!

Do I need to apply for the free identify theft insurance coverage or is this automatically applied should I find my accounts breached? Thanks, John

Go to opm.gov for the most up-to-date information.

On June 4, 2015, OPM said it will offer credit monitoring services and identity theft insurance to people who are affected.

Exactly what information was compromised? Is my checking account information for direct deposit and expense reimbursement compromised? Do I need to close that account?

Go to opm.gov for the most up-to-date information.

On June 8, 2015, OPM's website said: "The kind of data that may have been compromised in this incident could include name, Social Security Number, date and place of birth, and current and former addresses. It is the type of information you would typically find in a personnel file, such as job assignments, training records, and benefit selection decisions, but not the names of family members or beneficiaries and not information contained in actual policies. The notifications to potentially affected individuals will state exactly what information may have been compromised."

Well..OPM did not tell WHAT in my Top Secret information was accessed. SO how do I ask OPM for that information? I have the 'free' credit reporting..which is a joke..it reports SEX OFFENDERS who live near me; its only good for a year. Will OPM certify my data has been recovered and all hacked information deleted from hacker data stores..I dont think so. This is PERMANENT idenfitication data..its not credit card numbers..its data to allow a hacker to take over an Identity. We need more than ONE YEAR credit monitoring..we need lifetime. AND we need financial assistance to cover all damages should the data be used in fraud. Just reporting via email..does not cut it.

Go to opm.gov for the most current information.

If you were affected by the background investigation records breach, you have access to credit monitoring service from September 1, 2015 to December 31, 2018.

You also have access to idenitity monitoring, identity theft insurance and identity restoration services. The OPM site explains how to access the services.

I am concerned that the thieves will sit on the information and use it in the future when they think we have forgot about this breach. We need to have free credit report access for life!

Absolutely free credit reports for life. Free ID theft premium level protection for life. Also, what mailing address will they use to notify me if I may be a victim ? Will it be an address I can no longer access or collect physical mail from ? If by email, how can I be sure it's the government and not the hackers trying to scam me ? Having been former military, temporary federal employee, and having received VA benefits, I'm concerned but need to check next credit report as authorized once every 12 months for free.

Go to opm.gov for the most current information. 

If OPM doesn't have an email address for you, it will send a standard letter by U.S. Postal Service.OPM said it will mail all letters by June 19th. You might get a letter after that date, depending on the postal service in your area.

You might get an email about the OPM breach. It will come from  opmcio@csid.com and will include your name, your PIN, a button to “enroll now” and information about the CSID Protector Plus program. If you prefer, rather than clicking the “enroll now” button, you can go directly to CSID’s website to enter your PIN and enroll.

If you aren't sure that the email you got is legitimate, check OPM’s website for more information and updates. If you think you’ve been tricked by a phishing email or a fake call, then file a complaint with the FTC and forward the email to spam@uce.gov.

If you have already received your three free credit reports earlier in the year, you cannot get free new ones to investigate this breach. Also, the free credit monitoring only has Transunion credit report information, leaving you missing the other two reports, Frequently the reports do not contain equal reporting data. OPM should pay for personnel to get free reports because of the breach if they have already pulled their credit reports earlier in the year.

Our blog post advises people affected by the breach to place a 90-day fraud alert on your credit reports. When you place a fraud alert, you are entitled to a free credit report from each of the three national credit bureaus. The confirmation letter that you receive from each credit bureau will include instructions for getting your free credit report.

Can we start a lawsuit against OPM. I would like a lawyer to comment if we can take legal action against OPM. Basically what I am reading is that I need to waste my time to monitor my credit, cancel my debit/credit cards, change all my passwords. Time is money. I am going to ask my command to allow time to make all those changes if my information has been compromised.

Ricardo, were you harmed by this? Legal action (lawsuits) are taken to recover damages. If you were financially damaged by this then maybe legal action would be appropriate. If not then, no.

Take the time to read the Privacy Act of 1974. There are legal remedies regardless of actual cash losses.

“Whenever any agency . . . fails to maintain any record concerning any individual with such accuracy, relevance, timeliness, and completeness as is necessary to assure fairness in any determination relating to the qualifications, character, rights, or opportunities of, or benefits to the individual that may be made on the basis of such record, and consequently a determination is made which is adverse to the individual [the individual may bring a civil action against the agency].” 5 U.S.C. § 552a(g)(1)(C).

There will be Class-Action Litigation. Like anoth OP stated, the time it takes to change password, close account, stress ect. as a preventive can be translated to dollars.

You only need to show damages. (On top of duty to care, exc) But placing your SS number in the hands of unscrupulous individuals IS damaging to your security regardless of if they act on it. Your security has been damaged and you cannot get that security back no matter how much monitoring they give you.

I'm told to "update" my password every 3 months-how often is the OPM security updated?? Was that why this happened? It obviously was NOT very secure.

My only federal employment was as a temporary worker on the decennial census for a few weeks in 2009 and 2010. Would my record be among those compromised?

Go to opm.gov for the most current information.

On June 4, 2015, OPM's website said that the incident data may have compromised the personal information of current and former Federal employees.

OPM will start sending notifices to individuals whose information might have been compromised on June 8, 2015.  OPM will continue sending notices until June 19, 2015. They will send an email from opmcio@csid.com with  information about the credit monitoring and identity theft protection services being provided to Federal employees who were affected by the data breach. If OPM doesn't have an email address for the person, it will send a standard letter by U.S. Postal Service.

We just now received a letter stating that our information was compromised back in June. Took them long enough

Just received my notice of hacking OPM called it (cyber intrusion), 11-30-15

18 months of identity theft insurance does not seem like long enough. This should be doubled...to 36 months at least.

For an incident in which a given individual's sensitive PII has been compromised, why is the free identity theft protection only being offered for 18 months or 3 years (for the other 21.5 million), when that individual may plan on continuing their life with their born identity for upwards of 4 to 70 years? Shouldn't the protection last the lifetime of the affected individual? It's not like the compromised information is going to dissolve and disappear upon expiration of the free protection. It seems reasonable to assume that the compromised information will be available to identity thieves indefinitely now, does it not?

How do we know what email address OPM has on file if we are active employees? Do we get a letter if they send an email to an address that no longer exists?

I worked for the Federal government in the early 1990's. Have now been living at the same address for several years, filing tax returns showing that address etc... Will OPM have my current address it needs to send me the letter? If I don't receive a letter can I be reasonably certain that to date OPM has not discovered that my info was compromised? Thanks to anyone who can help.

I'm wondering what they will do with the knowledge of clearances and to certain people because of that they become targets

Exactly!!

And just how exactly will I know that my information was taken? My credit report is all messed up, I haven't been able to access it because I don't know the answers to some of the questions. I have been using the credit monitoring but it is limited and inconclusive. I have already been notified by the United States Postal Service that my information was breached. Is this an entirely different breach?

Please check OPM’s website and FAQs for the latest information about the incident and services being offered to victims.

Will notifications be sent to our government email address or to personal email?

Current federal employees will be notified at their current work email. For separated/retired employees, OPM will send a letter to the last known address in the National Change of Address database.

From OPM’s FAQs:

How will OPM contact me if I no longer work for the government? What if I have changed agencies once or multiple times in recent years?

If you have left the government, OPM will send you a notification via postal mail to the last address the agency has on file. OPM will verify this address with the National Change of Address (NCOA) service before mailing a letter.

If you have moved between agencies, OPM will send an email notification to your government email account for the agency at which you are currently employed. If your email address is unavailable, notification will be sent via postal mail.

i am a former employee of the internal revenue service. i worked for the irs from 1989-2007. i also worked for veterans admininstration from 1987-1989. last month i learned that my paypal credit account/credit card had been compromised and someone tried to make an unauthorized charge on my card. fortunately it was stopped by paypal. i wonder if i am part of this huge data breach. i've NEVER had any type of trouble. i change passwords on a regular basis. this whole situation has scared the BEJESUS out of me. i immediately placed a fraud alert on the 3 major credit bureau accounts. VERY SCARY SITUATION !!!!

The latest reporting indicates that SF-86s were taken. Does the data loss include DSS/OPM investigator notes? Does it include polygraph, health (counseling) and foreign contacts? Why is OPM NOT being forthcoming in discussing specific data loss details? Do we need to file FOIA requests to request what data was compromised? The loss would also constitute a violation of 1974 Privacy Act security - OPM is required by law to notify victims of specific data compromise.

I had to call the credit monitoring agency THREE times yesterday. They can't pronounce the words in the script they are told to read to us and they certainly don't know what it means! Not user friendly at all! My account has now been locked and I have to wait 1 - 3 business days for further assistance. Completely unacceptable!!! Not only do you allow the compromise of my personal information, you are now providing substandard service that is supposed to help me.

I read nothing on the OPM, FTC or CSID sites mentioning security check info listed on federal employees applications or security check forms. What about those of us who's info was included for them to get security clearances?

This never should have happened. OPM should have done everything possible to protect our information. There are no excuses. This is ridiculous.

Does this include active duty military members?

sure does. just got a notice in the mail a few days ago. both me and the wife (who's Nation Guard)

The security breach was also concerning over 400,000 tax returns. Will those affected individuals be notified via letter? Nothing has been stated in the news or the IRS web site. Who should someone contact concerning the
IRS security breach? That also includes social security numbers, address, back accounts and more. Also, lists any information concerning dividends, etc. and more.

Is everyone affected willing to participate in legal action?

I'm with you, anybody have information yet. Three years isn't right.

OPM, how do we know we can trust you and CSID?

Our personal info SHOULD NOT BE STORED ON A SYSTEM THAT IS CONNECTED TO THE WEB by the Government or by ANY business. To do so shows a complete lack of concern for employees, taxpayers, and customers. We are FORCED to acquiesce to this complete disregard for our security if we want to a) Have a job (anywhere); b) Buy or rent a place to sleep; c) Obtain any type of health care (whether we pay ourselves, or through insurance); d) Have a telephone or any other "utility" service; e) Have a bank account; f) Pay our income and/or property taxes; g) Drive a vehicle; or h) Any of a number of other things I'm not thinking of right now. WE CANNOT PARTICIPATE IN ANY OF THESE BASIC LIFE FUNCTIONS WITHOUT "AGREEING" TO HAVE OUT PERSONAL INFORMATION POSTED ON THE WEB FOR ANYONE TO STEAL. Then, when someone steals it, the offered solution is to allow us to go to another website, and input our personal information again, so that another business can safeguard it for us? Are you kidding me???

How does this impact security clearances? Will there be any delays, forfeiture, denial?

For the most current information, go to opm.gov. As of June 15, 2015, the Frequently Asked Questions on opm.gov don't address your question about impact on security clearances.

Why my account is not verified?

Office of Penetrated Mainframes, opm

OPM doesn't have my current address. Mail will not be forwarded from the last address they may have. Who do I call to check to see whether my data were compromised? How can I "get notice??

Go to opm.gov for the most current information.

On June 18, 2015, the OPM website says that if you are an affected person and you've left the government, OPM will send you a notice by postal mail to the last address the agency has on file. OPM will verify this address with the National Change of Address (NCOA) service before mailing a letter.

I received a letter today which looks quite suspect. Refers to a different credit monitoring service ( AllClear ID) also letter was addressed to a past last name of mine.

Go to opm.gov for the most current information about the breach.

The credit monitoring service and identity theft insurance OPM is offering is with CSID. If you're affected, OPM will send you information about CSID.

OPM will notify people whose information might have been compromised. They started notifying people on June 8, 2015 and will continue through June 19, 2015.  The email will come from opmcio@csid.com. It will have information about credit monitoring and identity theft protection services being provided to Federal employees affected by the data breach.

If OPM doesn't have an email address for a person, it will send a standard letter through the U.S. Postal Service. OPM's letter will refer to CSID

When I go to www.csid.com/opm, one of the first things it asks me for is my social security number. After all of this, I am totally uncomfortable entering this online. Advice?

Go to opm.gov for the most current information.

On June 18, 2015 ,the OPM website said is is using the sender “OPM CIO” and email address "opmcio@csid.com“ to notify affected individuals. Make sure the link in the email takes you to www.csid.com/opm, where you will need to click the “Enroll Now” button and provide your information. When you enroll, you will be required to provide personal information to begin your credit monitoring services.

If you get an email about the breach from a different address, it is spam. Do not click on any links or provide any personal information.

where was cybercommand, cant we just let them run the .gov TLD. how many other federal agencies are sitting fat waiting on their 59, pushing off that federal datacenter consolidation; time for an executive order from the top. trim the fat.

when i go on the csid website, one of the first things i'm asked for is my ssn. i'm not feeling comfortable about entering this online, too, in light of everything. please advise.

Go to opm.gov for the most current information.

On June 18, 2015, the OPM website said you can get more information about CSID by going to the company’s website, (external link) or by calling toll-free 844-777-2743. If you're an international caller, call this number collect: 512-327-0705.

In general, if you want to get identity protection, you have to give a company information to prove you are who you say you are. You might have to give your social security number and other information so they can locate the accounts you want them to monitor.

OPM just sent me a letter too. Had me go to

and letter says "OPM will never ask you to confirm any personal information". They had a 25 digit pin number on the letter they sent me and only asked for my last 4 of SSN and I thought "great, with the pin # and my last 4 of SSN, the government will know who I am!" ... and then it takes me to a different website opm.myidcare.com and then THEY ask for my entire SSN!!!

I received an email purporting to be from opmcio@csid.com, instructing me to go to a specific website and enter personal information in order to sign up for the ID theft / security monitoring. The phone numbers that were listed in the email -- the ones I supposedly should call if I had questions -- were different from the ones I've seen online on governmental websites. For example, this website and others have csid's phone number listed as 844-222-2743, but the phone number listed in the email I received was 844-777-2743. That's a different number. Also, international callers were directed in the email to call 512-327-0705, but the official (xxx.gov) websites indicate that it should be 512-327-0700. Frankly, I am terrified that I might not be able to identify fraudulent phishing scams based on this security breach! What a mess.

I work at a VA; we have an employee who will be clearing the facility 06/19. If current employees are being notified at their work email address, she very well may be gone before an email is sent to her. From what I understand, CSID is not sending out letters if they notify individuals by email. In this case, they may miss her but not realize it. Any suggestions for her?

Go to opm.gov for the most current information.

On June 18, 2015, the OPM website said that if you've left the government, OPM will send you a notification via postal mail to the last address the agency has on file. OPM will verify this address with the National Change of Address (NCOA) service before mailing a letter.

If you moved between agencies, OPM will send an email notification to your government email account at the agency you work in now. If your email address isn't available, OPM will notify you by via postal mail.

is the letter from CSID (Secure Processing Center) legitimate? Enrolling in the complimentary subscription to 'CSID Protector Plus' requires you enter SS# and personal info.

Go to opm.gov for the most current information.

On June 18, 2015, the OPM website said that OPM is offering  credit monitoring services and identity theft insurance to people who were affected. OPM offers those services through CSID. People who are affected can get access to their credit reports,  credit monitoring, identity theft insurance, and recovery services for free for 18 months.

In general, if you want to get identity protection, you have to give a company information to prove you are who you say you are. For example, you might have to tell your social security number and other information so the company can locate the accounts you want them to monitor.

OPM said you can get more information at the company’s website, (external link) or by calling toll-free 844-777-2743. If you're calling from outside the U.S., call this number collect: 512-327-0705.

What effect does this have on SEEs (who are non-Federal employees)?

Go to opm.gov for the most current information.

On June 18, 2015, the OPM website said people in several groups might be affected. People might be affected if they work, or used to work, for a Federal agency for which OPM maintains the personnel records. They might also be affected if they worked for a Federal agency or organization that sent records to OPM to support their future retirement processing.

I just want to warn those of you considering placing a "freeze" or "fraud alert" as suggested - placing a fraud alert or freeze on your credit causes its own issues. I have had to do this in the past because of identity theft and then I myself was unable to get credit because of the credit freeze. Because I had moved in the last year they couldn't verify my identity and I was unable to open any new accounts. It took months to clear up.

A credit freeze lets you restrict access to your credit report, which makes it harder for identity thieves to open new accounts in your name. A freeze remains in place until you ask the credit reporting company to temporarily lift it or remove it altogether.

If you place a freeze, be ready to take a few extra steps the next time you apply for a new credit card or cell phone – or any service that requires a credit check.

Our Credit Freeze FAQs have more information.

Our PII is forever, but the response coverage expires in 18 monthns.

I've worked for the Federal Gov't either as a DoD Civilian employee or contractor for over 20 years. Bearing that in mind you should be able to guess how many SF 86's and EPSQ's I've had to complete for my background investigations/PR's. To say that if background information was compromised may not be important is absolutely ludicrous !! Those forms contain ALL of our financial information (bank accounts, credit cards, mortgages, etc) family names/addresses, and so on. Basically, our entire lives. When considering all of the information we are required to provide the Federal Gov't for our clearances, if that information is being "sold" by the hackers to criminal elements or groups like ISIS, they have in essence potentially placed military personnel, civilian government employees and contractors at risk for being targets. In my opinion this is something that is and should be considered very serious. I know I plan to notify my family members to be watchful of anyone or anything that may be out of the ordinary. This is more than just the possibility of a threat of identity threat. The idea that this happened a few months ago and we are just now learning of this is deplorable and irresponsible. How many people has already experience possible identity theft or fraud that could have prevented it at least 2 months ago had this information been made public?

What address will they be using? The most recent on file with the federal government, VA or SSA or HHS, or our most recent address when we were employed? Let me guess: We don't know.

Go to opm.gov for the most current information.

On June 22, 2015, the OPM website said if a person was affected by the breach announced on June 4, and that person has left the government, OPM will send a notification by postal mail to the last address the agency has on file. OPM will verify this address with the National Change of Address (NCOA) service before mailing a letter.

If an identity thief causes harm to my finances, I believe OPM will be required to reimburse me. This entire situation is due to the fact that OPM ignored their inspectors complaints that their IT systems were antiquated and not effective against this type of cyber attack.

Outside of the normal information, would CSID ask for my bank account information, credit and debit card information, DL # and medical information when I register? Several other employees got an email and link that asked for that information.

Go to opm.gov for the most current information.

On June 22, the OPM website said you can contact your agency’s privacy officer if you want to check on the email you received. OPM said it gave government privacy officers information to help privacy officers validate the emails for you.

OPM said that if you are affected, you could get an email from sender “OPM CIO” from this address: opmcio@csid.com. A valid email will have a link in the body of the email that takes you to www.csid.com/opm (external link), where you can click the “Enroll Now” button and provide your information. If you enroll, you have to give personal information to start the credit monitoring service.



If you get an email about the breach from a different address, it may be phishing.  Phishing happens when a scammer pretends to be a business to trick you into giving out personal information. Do not click on any links or provide any personal information if you suspect an email is phishing.

CSID contacted me and I followed all the instructions to set up the account. However, my wife was not provided an account and ALL of her info (SSAN, etc) was included on original application for job, clearance and retirement money etc!!! Why is she not being contacted? Or is this coming later in what has now been expanded to 18 million hacked?

Go to opm.gov for the most current information.

On June 23, 2015, the OPM website said that at this time, it has no evidence to suggest that family members of employees were affected by the breach of personnel data. OPM also said that if other exposure are found, OPM will conduct additional notifications as necessary.

Open note to all USG employees, please push hard for USG-provided credit monitoring for life to address this and likely future breaches.

Prior to retiring, I was advised and did download my entire electronic OPM file. During my employment I was required to provide and did provide the SSN of my wife. Her SSN is clearly shown in my electronic OPM file. Will she too have the protection from CSID as being offered to me?

Go to opm.gov for the most current information.

As of June 24, 2015, the OPM website says it has no evidence that family members were affected by the breach, but if they learn family members information was exposed, it will send more notices. You can read more about how retirees might be affected on the OPM site.

I received the letter from OPM that my personal information has been compromised. My spouse works for NIH. The PIN number I was provided was invalid!How can that possibly happen? Was my letter hacked? Does someone have access to even more of my information? Has someone registered under my name and have access to my account with the cyber security company. In short, you've got to be kidding!

Another frustrated spouse here, hubby works for NPS, my PIN is also invalid. The incompetence is astounding!

I was a DOE contractor but left many years ago. I'm pretty sure they didn't have my contact info. I called the 844 number to see if my info was compromised and it was. I got the PIN etc, but just FYI don't count on the OPM to know how to get in touch with you. Also CSID has no idea how to update OPM with your current info

"On June 22, 2015, the OPM website said if a person was affected by the breach announced on June 4, and that person has left the government, OPM will send a notification by postal mail to the last address the agency has on file."

1. I retired at the beginning of 2015. Why did I receive an e-mail instead of a physical letter?

2. One of my family members is STILL a Federal Employee; why wouldn't THEY have received an e-mail yet?

3. I called CSID to ask a list of questions to get clarification AND to register over the phone instead of entering PII online, hopefully to pick their brain about the safety of doing ANY financial transactions online at all. Called at 6:00am Central and after waiting about an hour, got a phone rep who had been working there for ONE WEEK. He knew absolutely nothing about IT or online computing security. The one piece of information he did give me was that the million $ policy goes into action whether we register or not (which is in the information on OPM.gov already). He did not seem to be leaning toward letting me sign up over the phone (and if he has been working there one week, what kind of security background check could HE possibly have been subjected to??!!!!) Once I realized that he was a temp hire with probably a lifetime of job security and absolutely zero knowledge about computing security, I bailed on the call to think all of this over. 4. WT* is wrong with THIS picture?! OPM - Information About the Recent Cybersecurity Incidents Updated June 23, 2015 Precautions to Help You Avoid Becoming a Victim *Do not send sensitive information over the Internet BEFORE CHECKING a website’s security (for more information, see Protecting Your Privacy. (external link)

That link leads to a DHS/US-CERT "Security Tip" page with a PROMINENT note that SPECIFICALLY states,"To protect your identity and prevent an attacker from easily accessing additional information about you, AVOID providing certain personal information such as your birth date and social security number online." "Before checking" does NOT equal "AVOID"! The CSID/OPM https connection to csid is "encrypted with modern cryptography."

STILL, the instructions to enter our SSN and whatever other PII online that is required to register is in direct conflict to the note from the DHS/US-CERT note about Protecting Your Privacy and just flat out defies common sense and a really bad gut feeling. Even if the CSID connection IS 100% secure (probably no such thing), retirees without the ability to signup over a presumably secure "at work" government PC" either wired or via VPN don't have a clue what kind of trojans, keyloggers, whatever nasty malware is out there now is lurking on their computer and OS of choice. I know CSID can't field 4 million registrations over the phone, but there should be a better way to enroll than voluntarily handing out very detailed PII over the Internet. It has already been handed out to God knows who. And doesn't it stand to reason that dedicated cyberthieves looking for the big payday are working 24/7 to find new ways to harvest PII submitted online?

5. I know attorneys and any public spokespersons for any Federal agency have to be extremely careful about statements they make, but the pat answer of, "Go to opm.gov for the most current information.Go to opm.gov for the most current information." "You can read more about how retirees might be affected on the OPM site." just brings up visions of Martin Short as the chain smoking attorney in the old skits on SNL. Sorry Bridget, I know you are following protocol and I am sure your workload is overwhelming; I had to do the same at my agency, every year since 2008 with fewer resources and more demands, but it just makes me sad, frustrated and frankly, scared.

While I have been caught up in this fiasco along with the other millions of current and retired federal employees, I have a question for which I can’t seem to locate the answer.
We are encouraged to place a ‘Fraud Alert’ with one of the credit bureaus who will then communicate it to the other two. OK…in my reading I see that this ‘Alert’ is good for 90 days but can be extended, at no cost, for a period of 7 years. However in looking at the Trans Union and Equifax websites to effect this extended alert not only must one request the extension from each credit bureau, but also provide a copy of the identity theft report (Trans Union) or a copy of a law enforcement agency report (Equifax). Everyone knows the data has been breached and out there, OPM is the ‘company’ that committed the breach, etc.
I guess my question is this, Is the expectation that we wait until something does happen in an untoward fashion with our compromised data or take a proactive approach and generate an Identity Theft Report now, take it to the local police department get it registered and request the extended fraud alert protection. Updating the two documents when and if we get gutted by the thieves?
A corollary question comes to mind….Is there a limit to the number of times an extended fraud alert can be requested? Thank you, FedFrigged345

If you get a notice that your information was exposed in a data breach, you can take steps to protect yourself. Read more at identitytheft.gov.

When you know your information has been exposed, you can place a fraud alert. That makes it harder for someone to open new accounts with your information. You can renew a fraud alert indefinitely.

Or, you could get a similar amount of protection by placing a credit or security freeze on your credit report. Whether you get a "credit freeze" or "security freeze" depends on what's available in your state. To get a freeze, you have to contact each of the three credit reporting companies individually, and pay a fee.  The freeze is permanent, unless you lift it. You can lift it temporarily or permanently. 

A 7-year or extended fraud alert applies to identity theft victims. To place an extended fraud alert, an identity theft victim must have an identity theft report, or something similar. A victim can place a 7-year extended fraud alert and doesn’t have to renew it every 90 days.  When a victim places an extended fraud alert, she gets additional free copies of her credit report.

You said "You can renew a fraud alert indefinitely." That would be good because OPM gave away my information forever, the risks that OPM created last indefinitely. Are fraud alert renewals something that I will have to pay a credit reporting service for indefinitely?

Identitytheft.gov explains what to do if you're an identity theft victim who knows your information has been misused.

Identity theft victims can get extended fraud alerts by contacting the three credit reporting companies and providing copies of the Identity Theft Report they created about the theft. It's free to place and remove an extended fraud alert for identity theft victims.

There is different information for people who got a notice that information was exposed in a data breach, aren't identity theft victims. This page for tips on what to do.

This article explains the differences between a fraud alert and a credit freeze, and who can get them.

 

Does this data breech impact gov't contractors as well?

Go to opm.gov for the most current information.

OPM said the breach announced on June 4 did affect current and former Department of Defense civilian employees, but didn't affect contractors, unless they previously held Federal civilian positions.

There are millions of us (18 million as cited by the AFGE lawsuit that have never been contacted by OPM or CSID. Opm director, office of cio, and inspector general all say call csid. After calling for 4 days and waitng 6 hours on phone, csid said they can't enroll me .. but they will sell me credit protection. I know I am in the affected groups due to prior government service and other related information. FTC please help us.

Go to opm.gov for the most current information.

If you were affected by the incident announced on June 4, you would have gotten an email or paper mail notice from OPM within a few days after June 19.

The OPM website says that if you didn't get an email or paper mail notice, CSID can tell you if you're eligible to enroll. You say CSID already told you you aren't eligible to enroll.

If you want to protect your credit reports, you could get a credit freeze. A credit freeze stops anyone from getting access to your credit reports, unless you lift the freeze or remove it. Go to identitytheft.gov to read more about identity protection steps to take.

Was looking at signing up for CSID - a privately held corporation. Their privacy policy is clear particularly when they say
"In addition, in the event of a merger, acquisition, or any form of sale of some or all of our assets to a third party, we may also disclose your personal information to the third parties concerned or their professional advisors. In the event of such a transaction, the personal information held by CSID will be among the assets transferred to the buyer."
So the take away is - don't hack OPM, just buy the data (assets)from CSID.

I worked at a VA Hospital for 10 years as a volunteer, becoming an unpaid government employee, and this is the thanks I get? From here on out, it looks like their usual "every man/ woman for themselves". Stop paying t axes!

I have looked at the OPM website - no info on employment date ranges affected. Does FTC (or anyone else) know if there are employment dates NOT affected? I was a government employee from 1975-77. My agency in the 70s made a lot of use of computer data, for what it's worth. Can I assume I'm safe, or did some agencies input employee info from that far back?
I was also an independent contractor from the mid 1990s until about 2007. Should I assume that information was compromised? I haven't received a USPS notification.

OPM issued a press release on Thursday, July 9, 2015. In it, OPM stated that “in the coming weeks, a call center will be opened to respond to questions and provide more information. In the interim, individuals are encouraged to visit https://www.opm.gov/cybersecurity. Individuals will not be able to receive personalized information until notifications begin and the call center is opened. OPM recognizes that it is important to be able to provide individual assistance to those that reach out with questions, and will work with its partners to establish this call center as quickly as possible.”

Thank you!

So, I just received an ALERT from CSID. When I called I was asked to provide my ss#, DOB, and address. I provided all, and am now wondering if that was a mistake..? Should/Would CSID be asking for this information when a Federal Employee calls in?

Go to opm.gov for the most current information.

If your information was affected by the data breach announced in June, you should have already received a notification from OPM.

If you got a notice in June and enrolled in credit monitoring and other services with CSID, you can call CSID with questions about the services. Please call CSID at 844-777-2743.

Can someone in DFAS assure us that our bank information is secure? I feel the next hack is DFAS and we will be really screwed.

I am USPS rural carrier. I am a contractor, but the usps makes ne have the same clearance as employees to carrier mail. I didnt get a notice, although the usps has my cakgroung, fingerprints, drugtests results, and all personal date including bank account info. I never received anything from opm. Am I just SOL?

You can get the latest details at opm.gov.

OPM has announced two different breaches. In June, OPM announced a breach of personnel information. OPM says contractors weren't affected by the personnel information breach.

Later, OPM announced a background check breach, and said some contrators might be affected. OPM will send notices to people affected by the background check breach, but as of August 10, 2015, it hasn't sent any notices.

I just enrolled for CSID, entered my information and created a username and password. It said the account was created successfully and then it asked me to log in using that username and password. I clearly had not forgotten it in the time I entered it and verified it, yet when I put in the information, it said the login was invalid. I thought maybe I just miss hit a key so I re-entered my username and password which locked my account. There is no help button to request my account be unlocked. How does it get unlocked? Time? Help desk?

The OPM website at opm.gov has information, and a series of questions and answers to help people. OPM.gov lists this number for CSID’s call center: 844-777-2743.

I work for a national laboratory. The best insult to injury here has been a series of meetings that you are "invited to attend" to learn about this and what you can do to mitigate damages...AT YOUR OWN EXPENSE! Either I pay for my time to attend, or I have to ask my manager to pay for my time. The OPM/DOE don't think they need to pay for my time for their own error. Obviously, if I do NOT go, they will retaliate that I must not have cared enough to attend... seriously!

Have the notification letters and/or credit monitoring e-mails begun to be sent to those 19.5+ million or so affected by the SECOND (background information check files) data breach at OPM?

Go to OPM.gov for the most current information. OPM regularly updates information about response to the breaches.

As of today, OPM has not started sending notices about the second breach that included background check informatioin.

Interesting that when I tried to obtain my protection from ID Experts, the system apparently is not recognizing the PIN that was mailed to me. This was from the person who answered the phone because the system gave me a "your personal information is not recognized response." I waited 10 minutes on hold and he came back to say they are overwhelmed with calls (not enough people to handle the call volume) because the system is not recognizing some of the PINs that were recently mailed out. If this isn't government at its typical worst, I am unsure what is but I'm very sure this is another government kerfuffle from incompetent public agencies.

I'm a retired USAF Veteran and my husband had to get a security clearance for a job he left about 10 years ago. When this information was no longer relevant to our continued employment, why was it not destroyed?

Apparently the breach includes any civilian DoD background investigations done after 2000.

This is a huge national security risk. I can't believe the news has been silent on this angle. Think of all the people with clearances who's personal SF-86 info could now be used to blackmail them. It's not a stretch to think people working overseas could be kidnapped and tortured for info. Then again, if someone wants sensitive info about our government programs, they could probably just get it over the web, LOL.

Just got my notice in the mail and when trying to use the PIN that was *just* provided I receive notice that the PIN is invalid. Good job guys, probably the same attention to detail that led to getting hacked in the first place.

NotMyUserName, I have the same problem. They told me to "watch" on the OPM Facts site which will eventually tell me how to proceed..."it should be soon". So it's on me to "watch". O'Bama Care on a smaller scale (hopefully). Think we need to let FOX News, NBC, etc. know the issues we are having to identify how big a problem this is and maybe get some help. They certainly don't care.

An OPM letter arrived for my wife but not me, yet I'm the one with the high level security clearance. When I tried to enroll her it got her information mixed with mine and resulted in a botched application and an invalid PIN. So now both she and I are stuck with a confirmed breach of our data and no way to complete the ID Experts Identity Theft Insurance application. WHAT DO WE DO NOW???

Go to opm.gov for the most current information.

As of 10/21/15, OPM says that if saying your information was affected in the breach of background checks, you're automatically covered by identity theft insurance and identity restoration services. You need the PIN in the OPM letter to sign up for additional services.

If you get a notification letter, it should include a PIN. You can try using that to register. OPM posted questions and answers for people affected by the breach. It includes information for people who don't have a PIN, or who lost their pin.

FYI it looks like you recieved 5x PINs on one letter, but all five boxes are actually one complete PIN. I initially made that mistake when first trying to hastily log on.

I have used the 5x PIIN number OPM sent, both with and without dashes. The ID Experts site still does not allow you to register. It would be nice if at least a POC was provided with your failure message.

I also tried to create an account several times using the supplied PIN, however I get an "Invalid PIN" alert. When I contacted OPM they said several people were having the same problem. The fix is to either set it up over the phone (and provide all personal information) or keep checking the OPM website for additional information. I am not comfortable with giving my personal info over the phone, as they already demonstrated their inability to protect information. Has anyone else had this problem and got it sorted out? I don't see any information on the OPM website on what to do if the PIN they supplied is incorrect.

After six months, OPM finally sent me a 25 digit PIN and notified me that my information was compromised. After 40 years of service, the amount of information on the SF-86 and associated forms becomes astronomical, not just on myself but on three generations of my family. Yet all I can see is a profiteering enterprise that wants to put cookies on my machine, be able to "share" my data even further, and agree to an "arbitration clause". Even worse, this firm refuses to identify themselves, and after talking to three levels of "supervisors" repeatedly contradicted to each other. When does somebody finally take this seriously? What are our Senators, Congressmen, and Presidential candidates saying?

All my info and information has been hacked by a foreign entity. We were sent a letter by opm saying our name and personal info has been compromised. We need help

You can use the information in the letter OPM sent you and go to the OPM website at opm.gov for more information.

We had the same problem..."Invalid PIN"-tried the automated phone system-"Invalid PIN"-waited on line and spoke with a rep (???)-he read a long list of questions I would have to answer-a TON of personal info.-he tried the # on my letter-same message "Invalid PIN"- he then said I would need to speak with someone else & placed me on hold. I hadn't planned to give all of the info. -just wanted to hear what they would say-ended up hanging up! Very frustrating & fishy! Will try online in a few days. UGH!

If you have a freeze on your credit files, you have to unfreeze them for a week just to sign up for part of the service. Not sure if that's advisable since most of us have already had our PII breached before this one. Question: do we have to leave the credit files unfrozen for three years to get the credit monitoring service from ID Experts? I assume so but have not confirmed.

really??? i had my credit files frozen. but nobody "warned" me that the my credit files need to be unfrozen. how did you discover this solution?

I just got my letter and made an account but its asking for my ss# ummm im not comfortable with that

i also have an INVALID PIN error message when i tried to do it online. the online rep response was "yeh the government knows about it and check the website for further guidance in the future." oh yes, rely on the government to help. OH PLEASE..

Is this legitimate. I followed instructions to enroll, entered the code,when I tried to re-enter, I got "invalid Pin" I called the 800 number,agent placed me on hold, transferred me.. Then next agent said the reason I cannot use my pin code is because I already have credit freeze with the 3 credit bureaus. What worries me is that csid now has my personal info, and I cannot login to verify what is going on. Who in the government should I contact. Is this OPM thing another scam?

Go to opm.gov to read about the information breaches.

Did you put the credit freeze on your account?

If you did, you're protected by the credit freeze. You can limit who gets access to your credit report. When you have a credit freeze, it's harder for an identity thief to open new accounts in your name.

If you don't want a company to have your information, contact them and ask them to remove your information from their files.

Just received my notification "letter" today, as did my wife -- by virtue of her marital connection" to me. As a citizen of another country with extremely strong privacy protection laws, she was NOT amused.

OPM spared "no (taxpayer) expense" with its form notification letters! / sarc /

Not bad: July 9, 2015 - Nov 07, 2015 ... for a form letter X 20 million. / sarc /

I will echo the previous posters: where is Congress, where is the MSM and where is our "feckless leader" in all of this ...?

It's WAY past for an Independent Special Prosecutor to investigate and this, boys and girls -- no FBI, no US DHS and no US DOJ ... arrests must be made at OPM, people at OPM must lose their jobs and retirements.

But they WON'T!

Applied for a credit card and was denied due to unable to verify ssn then the letter came in the mail that my information was compromised, figures

Had the same issue with the "invalid pin" received letter on Friday attempted to enter response "invalid pin". Then called number in letter, worthless" they tried same response told to wait 24 hours if still responds invalid call back Monday. Problem remained the same on Monday. Called Monday first person attempted still invalid., transferred to a supervisor. The supervisor then transfer me to a tech. I was on hold for 45 minutes for nothing because after the tech attempted he stated quite a few people are having similar problems. he then told me check the website in a few weeks for an update. I asked will I receive another notice he stated no "it was up to me to check for the update" How much is the Government or TAX DOLLARS is paying ID Experts to have them waste our time and money????

I received a letter saying my information was part of the theft, however, I am not a current or former government employee. Is is possible I received this because my husband is active duty military with a security clearance?

Go to opm.gov for the most current information.

As of 11/12/15, the OPM site says that if you got a notification letter and PIN code from OPM, it's because OPM determined that your Social Security Number and other personal information was stolen when criminals stole background investigation records.

You can use the OPM site to sign up for identity protection services and learn more about the breach.

I neither worked for the government nor have I signed any non-disclosure forms. My information was not guarded by OPM after I filled out a background form for top secret clearance for my ex-husband years ago. Now I receive a letter saying my Social Security Number. is in the hands of hackers because OPM didn't safeguard it. I want monetary compensation as well as lifetime monitoring or a new Social Security Number.

I got a notice from the United states office of personnel management opm is this letter legit ?

Go to opm.gov for the most current information.

The OPM site has examples of the letters it sent. Look at Actions you can take now on this opm page.

I received the version of the letter that says my fingerprints have been compromised, however I don't think my fingerprints have EVER been taken. So how is that possible.

I receied the letter notifying me of the breach and to sign up with my pin, but what is my pin? I have 5 sets of numbers with an alphabetical character above it and I have tried them all together and seperate, but none of them work. Please explain what is the correct pin?

the correct pin will be the entire 25 digit pin. Separately they will definitely not work. If you are to enroll on a work computer, the pin will not validate(probably a security related problem...not entirely sure); if you have a credit freeze it will not work; if you have tried the pin too many times the system will lock you out and you may not be able to use your pin at all. It's very hairy, and there isn't really a way to know any of this without to someone over the phone and asking the right questions.

The recommendations are to request a credit freeze. Yet a credit freeze on one's accounts means that an individual cannot set up an account with ID Experts (in contrast to CSID). This seems illogical. Why would OPM contract with a company that can only set up an account if the a credit freeze is lifted (i.e., force victims to become even more vulnerable)?

You are able to lift  - and replace - a credit freeze. The cost to place and lift a freeze, and how long the freeze lasts, depend on state law. This FTC article tells more about how credit freezes work.

If you choose to place a credit freeze, it may not stop misuse of your existing accounts or other types of identity theft. The  companies you do business with would still have access to your credit report for some purposes.

Is it safe to give "MyIDCare" my soc. sec. no.? This is the company that OPM's website tells me to connect to.

The OPM website tells how to sign up for identity monitoring and credit monitoring services if you want those services. The OPM website has a link to My ID Care, which is providing the services.

How do I know terrorists will not use my information for fake passports?

What should the return address be on the letter we receive? Cannot find anything about this on their website and I want to make sure the one I got in the mail is legitimate.

The OPM website (opm.gov) shows samples of the letters they sent to people affected by the breaches. View the letters on this page on opm.gov under Actions You Can Take Now.

It shows samples, but does not say what the return address on the letters should be.

So I'm supposed to enter in all my information that was compromised AGAIN when I sign up for OPM? LOL I don't think so.

My question, as well? What do I need to do to protect my passport information? Will they reissue a passport with a new number or is it like the SS# that you can never change it even for protection? Does OPM notify the other agencies/depts. of each person's compromised information in this matter, ie IRS, SS, and State? If so, will it raise flags each time I have transactions, such as filing my taxes, traveling, etc.?

Just wanted to follow up on the passport thing. You can report it lost or stolen in this case, not compromised, at no cost. Then, for $135 total, you can get it replaced in 5 weeks time after going through the entire process the same as when you first applied for the passport. So, add that to changing all of your account/credit card numbers; re-setting up all of your auto pays, withdrawals, and deposits; placing credit freezes on your accounts, which cost you each time you lift them for credit approvals; and placing a fraud alert each 90 days, because this is not considered Identity Theft; and lastly, changing all of your passwords and user ID's. Remember, this is not considered Identity Theft in their eyes. Don't forget that if you included foreign citizen information for relatives on your clearance, their passport or visa information was compromised, also, but they are not included under the CSID coverage.

There are important differences between a fraud alert and a credit freeze. Read about the differences and then decide which one is best for your situation.

A fraud alert protect your credit from unverified access for at least 90 days. You could place a fraud alert on your file if your wallet, Social Security card, or other personal, financial or account information are lost or stolen. If you place a fraud alert a creditor can still get a copy of your credit report as long it takes steps to verify your identity. Fraud alerts may be effective at stopping someone from opening new credit accounts in your name, but they may not prevent the misuse of your existing accounts

If you place a fraud alert and later find out that your information was actually misused - meaning you are an identity theft victim - you can place an extended fraud alert that lasts 7 years.

A credit freeze stops all access to your account, unless you lift or remove it. A freeze makes it more difficult for identity thieves to open new accounts in your name. If you have an active credit freeze, a creditor can't get a copy of your credit report.

I also received a letter saying my information was compromised. I was told my ss number, address, banking info and finger prints have been compromised. What a major screw up this is! All this risk because I worked for post office part time for less than a year. I absolutely agree that this situation has resulted in undetermined level of risk that will ride with us for the remainder of our lives. And for this gross level of incompetence we are offered credit watch for 18 months. Talk about feeling like a victim.

The ID Experts OPM.gov sends you to, they ask for your social security number. Is it safe to give it to them? I did, but now I am worried this whole thing was a scam. The IDExperts web page looks legit though. I truly despise the Obama administration with a deep passion now. I did not think my anger for them could get deeper. Why are we getting only 3 years of cyber protection by the way? Shouldnt it be for life? Who got fired over this? Bush sent us $600 checks in the mail. Remember that? Obama sends us identity theft.

We all need to be protected for life. Alerts on credit records are inadequate.

How about placing alerts on the ***Social Security records*** and issuing new SSNs to those whose information was stolen? Wouldn't that be cheaper than paying for the 3 years of credit monitoring?

Three years of monitoring won't help much anyway! Do you really think that the ones who stole the information won't know precisely when the monitoring ends? They'll just sit on their treasure trove until it's easier to use in three years!

I received the letter from US OPM indicating that my SSN, fingerprints and other personal information was compromised in the cyber intrusion. I followed the instructions in the letter exactly and I got a message back that "I couldn't be authenticated". I have since tried several more time and I am getting the message that the Pin Number is invalid.

I have called the number provided in the letter. I keep getting put on hold for huge amounts of time and then being told that I have to leave my name and number and someone will call back. No one ever call back. The people on the phone are extremely unthelpful, rude, and inept.

It is crazy what a person in this situation has to go through to try and get signed up for credit and identify monitoring services.

My OPM letter was sent to my maiden name which I haven't used in over 30 years. I did a short stint with the Census Bureau about 10 years ago, long after I was married. Why is the breach showing up under my maiden name? I can only ask questions after registering my PIN. There is no way to ask questions first. I'd like an answer before I attempt to enroll and make myself more vulnerable by giving away more of my private information.

You'll find an answer to your question on the OPM website, opm.gov.

For example, the site says that some letters were mailed with old addresses or names. If you believe the letter is meant for you, you may register using the Personal Identification Number (PIN) and the last four digits of your Social Security Number at www.opm.gov/cybersecurity.

I have never worked for the federal government in my life and I'm 44 years old. How am I included in this?

I agree Mary. Same here. Never worked for the govt and I'm 45 years old. How did my info get compromised?

So not only did the OPM get breached and our personal information stolen, then they reached out to to a 3rd party commercial entity and gave them our SSN and personal information to establish an account on our behalf for 18 months. I didn't agree to have ID Experts receive my personal information. Who is handling the class action lawsuit against OPM? I want in.

This is a 2-part question: 1) I went to apply for the protections from MyIDCare and the application required all of my personal info, including SS#, date of birth, address, etc. Naturally, I am reticent to fill this info out online. Is this legitimate?

2) The notice from OPM uses my married name. I have been using my birth name for many years, including with the IRS and employers, no problem. However, I never changed my name legally back to my birth name with the SSA. If the application process I described above is legit, should I use my birth name that I have been commonly using for years or the name the SSA has in file?

Go to opm.gov for the most current information.

If you want to enroll in identity monitoring and credit monitoring services, you could follow the link from the OPM site. It takes you directly to the service OPM is providing.

You may be able to get information about your name change from the service provider, SSA or the Chief Privacy Officer at your agency.

Why am I just getting this notice now? OPM had incompetent security and it took them more six months to notify me of breach. This is typical .GOV B S

I received the letter from OPM this afternoon, however at no time have I ever worked for the government. I have worked the same job for over 7 years in the private sector and have not ever applied for a federal position. Why did I receive this letter? I want to make sure that I am doing the right thing for me and my family, however this is very confusing and worrisome. Please advise. Thank you.

Go to opm.gov for the most current information.

The OPM site lists people who might be affected by the background investigation records breaches. It includes:

  • Current or former Federal government employee
  • Member of the Military, or Veteran
  • Current or former Federal contractor
  • Job candidate required to complete a background investigation before your start date
  • Spouse, co-habitant, minor child, close contact of any of the above group

I Just received a notification and I don't fall under any of the listed criteria. Needless to say I'm upset,confused and very concerned.

Both my spouse and child including myself, all three of us, received OPM notifications so there is a greater probability of threat against us. What I’m reading seems like Band-Aid approach that puts my entire family at future risk. Is the OPM embracing measures to protect USA citizens beyond the present method said or is this as good as it gets?

How important is it that I report my passport stolen/lost? Also if I sign up for the "free credit monitoring" after doing so can I place the "freeze" with all credit bureau accounts? Or is it one or the other, freeze or credit monitoring? And lastly is the letter that i received from OPM enough to open a police report of identity theft?

If your passport was stolen or lost, read about what to do at identitytheft.gov. Look under the section called "Other Steps" and click on "Replace Government Issued IDs."

This FTC article has information about credit freezes. A credit freeze lets you restrict access to your credit report. That makes it more difficult for identity thieves to open new accounts in your name.

A credit monitoring service does not freeze your report. A company may track your credit report, and send you an email about recent activity, like an inquiry or new account. If you're considering credit monitoring, ask the company what it monitors and when it will contact you.

If you got a notice that your personal information was exposed in a data breach, that's not the same as identity theft. If you got a breach notice, read about what to do if information is lost or stolen.

If someone is mis-using your personal information to open new accounts, get a job, buy things or do other things with your information, that's identity theft. Read about what to do at identitytheft.gov.

I am an ex postal employee. My letter came to my mom's address that I have never used. I am very reluctant to put in my dob and social# in the myidcare that opm sends me to. Is this just another scam?? Doesn't look like a very secure site!

I received a letter that my SSN was taken in the breach. I go to the site to sign up for free credit monitoring (only good for 3 years - I'm in my twenties, hopefully I live a little longer than that), but in order to sign up you have to agree to their terms of service, under which, they basically say that you agree they are not liable for anything if you enroll... Is it just me, or does this not seem like a good idea? They were the ones that didn't protect my information, why should I have to agree to their terms? This is a pretty big deal. Shouldn't we have rights, other than accept their simple credit monitoring (where you have to agree that they will not be liable for anything) for only three years and now we are even?

I am very frustrated with ID Experts and OPM. Because I have a credit freeze on my accounts, there is no pro-active credit monitoring or ID monitoring. Essentially, the ID Experts coverage is useless unless I lift the credit freeze. There is no explanation of this Catch 22, which means a lot of us are wasting time trying to set up an account that will never work. (Took three tries to get an explanation of why the setup on the web did not work). Given the information accessed and the likely attackers, some real identity protection seems warranted, but you cannot get identity protection unless you lift the credit freeze.

On one hand I think that since my information is already stolen and out in the world, does it make a difference if I just enter it willy-nilly on some sketchy looking site that is provided by the Office that allowed my information to be stolen in the first place? OR, do I pony up $5 a month for my bank to do the monitoring for me (and to provide $1 million in ID theft insurance)?

I think the LEAST the OPM can do is allow us to choose our own credit monitoring service and then reimburse us for that (up to a reasonable amount)and for life (or until our identities are tied to microchips embedded in our foreheads).

Can this stipulation be included in the class action suit?

What's to stop whoever took the information from doing other things besides applying for credit? Is there going to be a way to find out if you voted 25 times at 25 different locations in the next election? ... and after 3 years, then what? What if they sit on this info for 5 years before they do anything?

Go to opm.gov for the most current information.

If you were affected by the background investigation records breach, you can choose whether to sign up for the credit monitoring and identity monitoring OPM will provide.

Identity monitoring services will monitor the internet and database sources including databases that pertain to criminal records, arrest records, bookings, court records, pay day loans, bank accounts, checks, sex offender, change of address, and Social Security number trace.

I filled out the id information for the 2 year protection it took all my personal information then it refused to submit it. when i tried to go back to the page to erase it it disappeared. what do i do now? the site said it was secure, but it didnt submit the information.

The OPM site (opm.gov) says if you have questions about an account you may call 800-750-3004.

This makes several breaches. Anyone remember the Tricare breach in Arizona? How about the SAIC one? The VA one just a few years back. Now OPM too. Looked over my last SF87 or 86. Lots of info. Unneeded info. Why do they need to know about relatives who have passed on? I say get the IT person and jail em. The odd thing is that NPRC can't seem to find my MPF. lol gubmint gotta love it.

I also tried to sign on only to get the invalid pin message. I didn't freeze my credit so that's not the cause. Any suggestions? After seeing all the above responses, I'm not sure I want to call the 800 number.

I received a letter that my fingerprints/data were affected but do not meet any of the criteria on their website.* I can't reach anyone at OPM who can tell me how my information got to OPM in the first place. Any ideas on how to get that information?

*Really - I read all of the criteria. There is no reason OPM should have my name much less my fingerprints. I work for a state agency but confirmed we don't send fingerprints/data to OPM, and none of my co-workers who went through a state background check have received letters.

I do not see the point to all this. Yes, it is a shame that this incident happened. Yes, it is devastating. Yes, maybe placing, at least, an initial fraud alert might help. But, if so many people are complaining about not getting through on the toll-free phone number and being put on hold for three, or so, hours, if the pin number doesn't work on MyID Care.com, what does this all mean? No one, OPM, DoD, or anybody, has the right answers here, including protecting the public. It's time to turn to God.

I received a letter notifying me that my Social Security Number and other personal information was included in the intrusion. I'm trying to take advantage of the comprehensive identity theft and monitoring services. I've lost my notification letter.

My notice took a long time to reach me b/c it was sent to an old address. How can I update my address with OPM so that sensitive information comes to me sooner, rather than later?

Please visit the FAQ section of OPM’s Cybersecurity Resource Center at https://www.opm.gov/cybersecurity/faqs/

If you can’t find an answer to your question, OPM asks that you email suggestions for additional FAQs to cybersecurity@opm.gov.

I have to correct some of these reports and updates for the contractors. I'm a contractor and I was affected so that is incorrect and I have been in OPM system since 1990 as a contractor and presently a contractor for the Government and I was definitely affected as I have received a letter. Again, contractors were affected in this data breach. I hope contractors like myself can be part of a lawsuit.

Can I request a PIN # to file my tax returns to ensure the returns are safe?

Please see the IRS page, Get Your Electronic Filing PIN, for more information.

OPM sent me a letter. I was in the military and did a background check for a DHS job that I applied too. So far nothing from lawyers. Apparently no one wants to take the case unless there is proof that the personal information is being used. I'm still searching for one. Credit/ identity protection is useless. I registered for it, still applied & bought a new car few months ago and never received notification that I applied dor it.

Each member of our family had their info compromised with the hack. While the gvt would give credit reports to those over 18yr it refused to give any protection for our 17yr old claiming a minor wouldn't have credit anyway. WE argued.But gvt would not listen. well. we just learned this child had identity stolen and being used. couldn't even open a bank acct. what a mess. how can i get anyone from the gvt to help me with this? where is that law suit?

Please visit IdentityTheft.gov to report and recover from identity theft.

I got the notice about the security breach. I registered for the my id monitoring which did nothing for me. So far my identity has been stolen twice already. They used 2 of my credit cards already. So where is my protection?

Leave a Comment

Comment Policy

Read Our Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.