OPM data breach – what should you do?

Share This Page

Update (December 9, 2015): OPM discovered a second data breach that affects federal employees, contractors, and others. If you received a letter from OPM, please visit opm.gov/cybersecurity to learn more about what happened and to sign up for free identity protection services.

A data breach at the Office of Personnel Management (OPM) – and you’re a current or former federal employee whose personal information may have been exposed. What should you do? Take a deep breath. Here are the steps to take. 

First Steps

  • Check your credit report at annualcreditreport.com. Look for accounts or charges you don’t recognize. Even if the breach didn’t involve credit card information, thieves may use your Social Security number, address and date of birth to open accounts in your name.
  • OPM announced that it plans to offer credit report access, credit monitoring, and identity theft insurance and recovery services to potentially affected individuals. Take advantage of this offer.
  • Place a fraud alert on your credit reports. With a fraud alert, businesses must verify your identity before providing new credit. An initial fraud alert lasts 90 days but you can renew it.    

Next Steps

If your information was exposed, then OPM will send you a letter explaining what information was involved. Your next steps depend on the type of information exposed:

Social Security number

  • Consider placing a credit freeze. Why? Thieves can use your Social Security number to open new accounts. With a credit freeze, no one can open a new account in your name (until you lift the freeze).
  • Next year, try to file your taxes early – before a scammer can. Once your Social Security number is exposed, a thief can use it to get your tax refund.

Bank account, credit card, or debit card information

  • Contact your bank or credit card company to cancel your card or close your bank account. Request a new account number.
  • If you have automatic payments, update them with your new account number.
  • Review your transactions regularly to make sure no one has misused the account.

 Online login or password

  • Log into the account to change your username or password. If you can’t login, then ask to shut down the account.
  • If you use the same password elsewhere, change that too.

For updates about the breach, check OPM’s website. For more information about what to do after a data breach, and a handy checklist of steps, visit Identitytheft.gov/databreach.

Remember to continue checking your credit report at annualcreditreport.com, in case information is misused in the future. You can order a free report from each of the three credit reporting agencies once a year.

If you discover that someone is misusing your information, you’ll need to take additional steps, including filing a complaint with the FTC. IdentityTheft.gov walks you through those steps – because recovering from identity theft is easier with a plan.   

Comments

Is this impacting retirees and recipients of death benefits?

Former federal employees could be affected. OPM's website says that beginning on Jun 8 and continuing through June 19, OPM will be sending notifications to approximately 4 million individuals that could be affected by the breach.

How do I delete my idcare account I think its all fraud how do I delete

MyIDCare is what is being used to protect you, it is not fraud.

MeDIcare is an OPM company the same folks that are responsible for the breach

I'm still USMC wife of 13yrs, & I'm a Former Goverment Contractor X's 2 @ a Naval Hosp Fam Med & did the fingerprint(2002-2005 & 2008-2009), then moved onto the Taxpayer Advocacy Panel w/in the IRS/Dept of Treasury; got another OMB No. Sec Clearance.

Here's my issues: I get this letter, thinking it was my husbands this time. (Note: I have been dealing w/every type of fraud since 2005 & I've been hit 18 times, since before this letter.) Now, I call & I set it all this up, thru IDCare, BAM!! They call me, "Mrs. X, your email address, do u not know"? ... You have to have a "Special Pin #", you should have been getting a lot of notices that all your personal information, banking and financial services and medical and more were compromised back around 2003-2004."

"Excuse me"?? I tell them about my cell that was sent to me UN-ReStored & no one will take the blame for it, all the bank charges of fraud & wont pay back, how many yrs I have worked on this, the Government saying no ur SS# safe, when I had to prove I owned it & I have was me in 2005?? I just want to know bc I'm so tired of filing who @ the OPM is personally responsible for not notifying me? My husband is Active Duty, I'm EFMP, their in the same building, or so I heard... Who is going to fix our credit, make the banks, credit card Companies pay us back? Honestly, How many years was I not contacted about this lack of communication & w/my diagnosis's I don't have the energy Renal disease takes it all out of you. Help us plz

If you enrolled in identity protection services after your information was involved in a data breach, you can ask the service to help you respond to problems with your accounts.

You could go to IdentityTheft.gov to report identity theft and get a personal plan to help you respond to problems. You can list the accounts that were affected, and get a checklist of steps to take to respond to problems. You can also get an Identity Theft affidavit and prefilled letters and forms to send to companies and creditors when you report identity theft.

Yes, I have done all that, however, yet nothing is being done to me. Matter of fact I've found that my medical records are missing several years & that I'm still doing everything on my own. Plus I have been informed by DMV, which wouldn't give me any proof, that my SS# & more has been used in other states for DL. I can't make a police report on word of mouth, I have to have written proof for anything to stick. Ty

Pervasively hacked for 5+years by example. Did all the required reports. It ruined my life and not one agency or company did a thing. I have evidence and am informed by very knowledgeable skilled persons that what is being used to illegally cyberstalk me is technologies that the government should be interested in as it is beyond what is being seen but im only a person so nothing. Hopefully I can get a volunteer group to take my case.

Please advise if records included previous employment prior to 2000. Recent credit report denotes identity theft has been displayed. Will contact Bank.

OPM's website says that beginning on Jun 8 and continuing through June 19, they will be sending notifications to approximately 4 million current and former federal employees that could be affected by the breach. We don't have any other details right now.

I have been a Fed Employee for 35 years. All my cpo coworkers were notified, but I have not recieved notification from OPM, and therefore do not have a PIN number for the credit monitoring service. There is no instructions or contact info on what I should do next. What do you suggest ?

Does this effect Government Contractors? Secret clearances ?

OPM's website says that beginning on Jun 8 and continuing through June 19, they will be sending notifications to approximately 4 million current and former federal employees that could be affected by the breach. We don't have any other details right now.

A security freeze is advisable to prevent new accounts being opened in victims name.

First and foremost, the OPM is supposed to be, primarily, still on paper. Secondly, how is it that the Federal Government and OPM could allow this to happen? BC&BS, now OPM? Is anything run by anyone safe, anymore. People have been forced into electronic records systems that they have no control over. They have to "trust" the folks in charge of guarding their information. Obviously, our trust has been misplaced. As well, why on God's green earth does all that computer data have to be connected to the web, 24/7. It's as though government and the private sector are begging for a security breech. No system has to be connected to the web 24/7. The whole concept is stupid and naïve. We were at least safe with good old paper.

Joe, you are stone cold RIGHT. I worked with computers for most of my life and what you say is the truth. It's way past time that we "just said NO" to those who constantly demand our personal data without any obvious need. The centralization of personal data in medical records is just asking for trouble. If doctors or anyone else refuse to serve you unless you "give" them your personal data, threaten to sue them.

They give no phone numbers to call? info good but no resource to call.

Additionally free credit monitory from whom? telephone number? identity theft insurance from whom and what is telephone number -

OPM's website says that OPM is offering affected individuals credit monitoring services and identity theft insurance with CSID. Additional information is available beginning at 8am CST on June 8, 2015 by calling toll-free 844-222-2743 (International callers: call collect 512-327-0700).

Anyone notice that these websites aren't even secure no s in http

You understand that https secures the information in the connection and doesnt secure an exploitable server holding the information. Https helps a person communicate with the server securely. It doesnt prevent someone from breaking into the server and stealing information

When my wife got her CSID letter early on, I watched her follow the steps to create a CSID account. We noticed that neither the Safari or FireFox browsers displayed a "lock" indicating encrypted connection. Nor was the site an "https:" site. We bailed. Three weeks later the https and lock indicators were present and she opened her account smoothly.

will the federal employees get a letter about this?my sister=in=law worked for the veterans administration for many years. she doesn't do computers. can I get an answer so I can make her aware of it

OPM's website says that beginning June 8 and continuing through June 19, OPM will be sending notifications to approximately 4 million individuals who could be affected by the breach. The email will come from opmcio@csid.com. In the event OPM does not have an email address for the individual on file, a standard letter will be sent via the U.S. Postal Service.

I hold OPM 100% accountable for the breach. If I become victim of any of the possible implications I will take legal action against OPM and recommend anyone else affected to do the same.

I am wondering if federal employees may take legal action against OPM based on the current circumstances. I don't think the limited free credit monitoring services and identity theft insurance with CSID is enough! What happens when these services are stopped; who pays. What happens when the bad guys start to overlay data from BC/BS, banks and IRS. There is too much at stake here.

I am with you. How can they dare say "We are not liable", when they are totally liable for this breach. With all of the IT people and resources available to the government, how can they justify this.Plus - the original breach happened in April - why notify us in June?

I agree with legal action, if need be. This appears to be a massive problem that could get worse.

How do we know we can trust this CSID service organization when we couldn't trust you, OPM, to protect our information? my understanding from initial reports is that affected individual's social security numbers were not encrypted. That is inexcusable. OPM, you owe us BIG TIME.

We got a notice today from opm saying our information has been hacked. We have never worked for the government. What is going on?

The OPM site (opm.gov) has questions and answers for people affected by the background investigation records breach.

The site says that if you had a background investigation through OPM in 2000 or afterwards (and submitted forms SF 86, SF 85, or SF 85P for a new investigation or periodic reinvestigation), it's very likely you were affected.

You might be also affected if you are a: 

  • Current or former federal government employee
  • Member of the military or veteran
  • Current or former federal contractor
  • Job candidate required to complete a background investigation before your start date
  • Spouse, co-habitant, minor child, close contact of any of the above groups (because someone might have listed you on THEIR application)

Dose this also involve grants

Go to opm.gov for the most up-to-date information.

OPM's message on June 4, 2015 said the incident may affect personal information of current and former Federal employees.

OPM will send notifices to approximately 4 million individuals whose personally identifiable information might be affected by the incident.

Why did I get this email? I have never been a federal employee.

If you got an email with a link to this blog post, it's because you  signed up to get FTC Scam Alerts or other news. 

If you don't want to get these emails and blogs, go ftc.gov/stay-connected and click “Manage my email subscriptions” near the bottom of the page to change your subscription.

Excellent! ThankYou! If necessary We will be ready. Thanks again Jose.

Is this another way of letting the consumer know that even our federal gov't has major flaws when it comes to keeping things under wraps, but harassment when tax time is due or when we reach retirement?

The firewall should have had a brute-force attack shield built in that would take the server down in the event of multiple attempts to gain access. This tells me that an employee was on the inside and activated a trojan horse, or simply acted maliciously. Never click on links that did not originate from the office. I think it is better that no one click on any links at all, thus saving embarrassment like this, and possible harm. Another tip: if you receive an email from anyone, inside your office or outside of the system, that either promises you a reward if you act or threatens you harm if you do not act, and has a sense of urgency in the words, DO NOT OPEN ANY ATTACHMENTS. Instead, DELETE the email, and inform your MIS department or security officer. Any action at all could unlock a trojan horse that could wipe your computer clean, or lay your server open like a gutted fish, allowing outsiders access to your information. BE VIGILANT! That is your job one!

Even if an employee clicked on an embedded link via email or other, the IT security config. should have blocked and or prevented connecting it. It was more that just a simple re-direct and they knew of the vulnerabilities via internal audits and took no action to fix their IT security issues. The Head of IT and his/her Boss should be fired!

Do I need to apply for the free identify theft insurance coverage or is this automatically applied should I find my accounts breached? Thanks, John

Go to opm.gov for the most up-to-date information.

On June 4, 2015, OPM said it will offer credit monitoring services and identity theft insurance to people who are affected.

Exactly what information was compromised? Is my checking account information for direct deposit and expense reimbursement compromised? Do I need to close that account?

Go to opm.gov for the most up-to-date information.

On June 8, 2015, OPM's website said: "The kind of data that may have been compromised in this incident could include name, Social Security Number, date and place of birth, and current and former addresses. It is the type of information you would typically find in a personnel file, such as job assignments, training records, and benefit selection decisions, but not the names of family members or beneficiaries and not information contained in actual policies. The notifications to potentially affected individuals will state exactly what information may have been compromised."

Well..OPM did not tell WHAT in my Top Secret information was accessed. SO how do I ask OPM for that information? I have the 'free' credit reporting..which is a joke..it reports SEX OFFENDERS who live near me; its only good for a year. Will OPM certify my data has been recovered and all hacked information deleted from hacker data stores..I dont think so. This is PERMANENT idenfitication data..its not credit card numbers..its data to allow a hacker to take over an Identity. We need more than ONE YEAR credit monitoring..we need lifetime. AND we need financial assistance to cover all damages should the data be used in fraud. Just reporting via email..does not cut it.

Go to opm.gov for the most current information.

If you were affected by the background investigation records breach, you have access to credit monitoring service from September 1, 2015 to December 31, 2018.

You also have access to idenitity monitoring, identity theft insurance and identity restoration services. The OPM site explains how to access the services.

I am concerned that the thieves will sit on the information and use it in the future when they think we have forgot about this breach. We need to have free credit report access for life!

Absolutely free credit reports for life. Free ID theft premium level protection for life. Also, what mailing address will they use to notify me if I may be a victim ? Will it be an address I can no longer access or collect physical mail from ? If by email, how can I be sure it's the government and not the hackers trying to scam me ? Having been former military, temporary federal employee, and having received VA benefits, I'm concerned but need to check next credit report as authorized once every 12 months for free.

Go to opm.gov for the most current information. 

If OPM doesn't have an email address for you, it will send a standard letter by U.S. Postal Service.OPM said it will mail all letters by June 19th. You might get a letter after that date, depending on the postal service in your area.

You might get an email about the OPM breach. It will come from  opmcio@csid.com and will include your name, your PIN, a button to “enroll now” and information about the CSID Protector Plus program. If you prefer, rather than clicking the “enroll now” button, you can go directly to CSID’s website to enter your PIN and enroll.

If you aren't sure that the email you got is legitimate, check OPM’s website for more information and updates. If you think you’ve been tricked by a phishing email or a fake call, then file a complaint with the FTC and forward the email to spam@uce.gov.

If you have already received your three free credit reports earlier in the year, you cannot get free new ones to investigate this breach. Also, the free credit monitoring only has Transunion credit report information, leaving you missing the other two reports, Frequently the reports do not contain equal reporting data. OPM should pay for personnel to get free reports because of the breach if they have already pulled their credit reports earlier in the year.

Pages

Leave a Comment

Comment Policy