Security Breach Information

Please read the following information related to the security breach:

 

Your PIN code XXXXXXXXXXX

To enroll for coverage, either click on the button above or type or paste the following website into your browser: https://www.csid.com/opm

 Below is an example of the letter OPM sent out to employees whom they believe may have had their personal information compromised/accessed/hacked. 

It looks like “Junk Mail.”

 

Dear Mr.   XXXXXXXX

I am writing to inform you that the U.S. Office of Personnel Management (OPM) recently became aware of a cybersecurity incident affecting its systems and data that may have exposed your personal information.

Since the incident was identified, OPM has partnered with the U.S. Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) to determine the impact to Federal personnel. OPM immediately implemented additional security measures and will continue to improve the security of the sensitive information we manage.

You are receiving this notification because we have determined that the data compromised in this incident may have included your personal information, such as your name, Social Security number, date and place of birth, and current or former address.  To help ensure your privacy, upon your next login to OPM systems, you may be required to change your password.

OPM takes very seriously its responsibility to protect your information. While we are not aware of any misuse of your information, in order to mitigate the risk of potential fraud and identity theft, we are offering you credit monitoring service and identity theft insurance through CSID, a company that specializes in identity theft protection and fraud resolution.  All potentially affected individuals will receive a complimentary subscription to CSID Protector Plus for 18 months.  Every affected individual, regardless of whether or not they explicitly take action to enroll, will have $1 million of identity theft insurance and access to full-service identity restoration provided by CSID until 12/7/16.

To access the trusted pages that will facilitate enrollment into this identity protection service, type or paste the following website into your browser: https://www.csid.com/opm

You will need to use the PIN code at the top of this correspondence to enroll in these services. Individuals can also contact CSID with any questions about these free services by calling this toll free number, 844-777-2743 (International callers: call collect at 512-327-0705).

Protector Plus coverage includes:

  • Credit Report and Monitoring: Includes a TransUnion® credit report and tri-bureau monitoring for credit inquiries, delinquencies, judgments and liens, bankruptcies, new loans and more
  • CyberAgent® Internet Surveillance: Monitors websites, chat rooms and bulletin boards 24/7 to identify trading or selling of your personal information
  • Identity Theft Insurance: Reimburses you for certain expenses in the event that your identity is compromised with a $1,000,000 insurance policy
  • Court and Public Records Monitoring: Know if your name, date of birth and Social Security number appear in court records for an offense that you did not commit
  • Non-Credit Loan Monitoring: Know if your personal information becomes linked to short-term, high-interest payday loans that do not require credit inquiries
  • Change of Address Monitoring: Monitor to see if someone has redirected your mail
  • Social Security Number Trace: Know if your Social Security number becomes associated with another individual’s name or address
  • Sex Offender Monitoring: Know if sex offenders reside in your zip code, and ensure that your identity isn’t being used fraudulently in the sex offender registry
  • Full-Service Identity Restoration: Work with a certified identity theft restoration specialist to restore your ID if you experience any fraud associated with your personal information

These services are offered as a convenience to you. However, nothing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter or for any other purpose. Any alleged issues of liability concerning OPM or the United States for the matters covered by this letter or for any other purpose are determined solely in conformance with appropriate Federal law. Please note that these services are offered to the specific addressee of this letter and are not available to anyone other than the individual who received this notification.
 
We regret this incident. Please be assured that OPM remains deeply committed to protecting the privacy and security of information and has taken appropriate steps to respond to this intrusion. The incident was uncovered as a result of OPM’s aggressive effort to update its cybersecurity posture over the past year, including the addition of numerous tools and capabilities to its networks that both help detect and deter a cyber-attack.
 
Please note that neither OPM nor any company acting on OPM’s behalf will contact you to confirm any personal information. If you are contacted by anyone purporting to represent OPM and asking for your personal information, do not provide it.
 
To learn more and enroll, visit CSID’s website at
https://www.csid.com/opm
 
Sincerely, 
signature
Donna K. Seymour
Chief Information Officer
U.S. Office of Personnel Management

 

Additional Information 
 
As a reminder, you should follow the below routine precautionary measures to help protect your identity and personal affairs:

  • Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.
  • Request a free credit report at www.AnnualCreditReport.com or by calling 1-877-322-8228.  Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax, Experian, and TransUnion – for a total of three reports per year.  Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) website, www.ftc.gov .
  • Review resources provided on the FTC identity theft website, www.identitytheft.gov . The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.
  • You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name.  Simply call Trans Union at 1-800-680-7289 to place this alert. TransUnion will then notify the other two credit bureaus on your behalf.

How to avoid becoming a victim:

  • Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about you, your employees, your colleagues or any other internal information.  If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
  • Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
  • Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.  This includes following links sent in email.
  • Do not send sensitive information over the Internet before checking a website’s security (for more information, see Protecting Your Privacy, www.us-cert.gov/ncas/tips/ST04-013 ).
  • Pay attention to the URL of a website.  Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly.  Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.  Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (www.antiphishing.org ).
  • Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (for more information, see Understanding Firewalls, www.us-cert.gov/ncas/tips/ST04-004 ; Understanding Anti-Virus Software, www.us-cert.gov/ncas/tips/ST04-005 ; and Reducing Spam, www.us-cert.gov/ncas/tips/ST04-007 ).
  • Take advantage of any anti-phishing features offered by your email client and web browser.

Additionally, if you are or have been a Federal employee or contractor and become aware of any contacts or other activity that could raise security concerns, you should immediately contact your security officer or former security officer for further guidance.
 
You can obtain additional information about steps to avoid identity theft from the following agencies.  The FTC also encourages those who discover that their information has been misused to file a complaint with the FTC.
 

For California Residents: 
Visit the California Office of Privacy
Protection (
www.privacy.ca.gov) for
additional information on protection
against identity theft.

 

For Kentucky Residents: 
Office of the Attorney General of Kentucky
700 Capitol Avenue, Suite 118
Frankfort, Kentucky 40601
www.ag.ky.gov
Telephone: 1-502-696-5300
 

For Maryland Residents: 
Office of the Attorney General of Maryland
Consumer Protection Division
200 St. Paul Place
Baltimore, MD 21202
www.oag.state.md.us/Consumer
Telephone: 1-888-743-0023
 

For North Carolina Residents: 
Office of the Attorney General of North Carolina
9001 Mail Service Center
Raleigh, NC 27699-9001
www.ncdoj.com
Telephone: 1-919-716-6400
 

For all other US Residents: 
Identity Theft Clearinghouse
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
www.identitytheft.gov
1-877-IDTHEFT (438-4338)
TDD: 1-202-326-2502

=======================================================

NTEU CONGRESSIONAL TESTIMONY ON OPM DATA BREACH

Please click the link below for a PDF containing the NTEU Congressional Testimony on the OPM data breach.

TESTIMONY ON OPM DATA BREACH (PDF)

============================================================

OPM Releases New List of FAQs on Data Breach

FEDSMITH -June 19, 2015

The Office of Personnel Management has revised its list of frequently asked questions with updated information on the data breaches that hit its computer systems. The updated questions and answers are included below.

What happened? Was there one intrusion or two?

OPM became aware of an intrusion affecting its systems and data in April 2015 and launched an investigation with its agency partners, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). In May 2015, through this investigation, OPM became aware of the potential compromise of data related to personnel records for current and former Federal employees. The agency began notifying potentially affected individuals on June 8. OPM is currently in the process of sending notifications to the approximately 4 million individuals whose personally identifiable information (PII) may have been compromised in that incident. Since the investigation is ongoing, additional PII exposures may come to light; in that case, OPM will conduct additional notifications as necessary.

During the ongoing investigation into the cyber intrusion of OPM that compromised personnel records (announced June 4), OPM, with its interagency partners, became aware of the possibility of a separate intrusion affecting a different set of OPM systems and data.

On June 8, as the investigation into the initial intrusion proceeded, the Interagency Response Team shared with relevant agencies that there was a high degree of confidence that OPM systems containing information related to the background investigations of current, former, and prospective Federal government employees, and those for whom a Federal background investigation was conducted, may have been compromised.

OPM, DHS, and the FBI are working as part of this ongoing investigation to determine the number of people affected by this separate intrusion. Since the investigation is ongoing, we are in the process of assessing the scope of the information that has been compromised, but we expect OPM will conduct additional notifications as necessary.

Am I affected by the breach of personnel records? Can I expect to receive a notification that any of my records were involved?

As part of our ongoing notification process, we are committed to providing the most up-to-date information to ensure affected individuals have the necessary resources and information available to protect their interests and security. OPM is continuing to examine the data and systems that may have been compromised. For example, we have confirmed that any Federal employee from across all branches of government whose organization submitted records to OPM for future retirement processing may have been compromised—even if their full personnel file is not stored on OPM’s system.

These individuals were included in OPM’s initial estimate of approximately 4 million individuals whose data may have been compromised and are currently being notified. These records include service history records (such as the SF 2806), court orders, and other records and information that pertain to annuity calculations. The Personally Identifiable Information (PII) contained in these records includes name, Social Security numbers, dates of birth, and possibly other sensitive information.

Current and former Federal employees, from all branches of government may receive a notice if:

  • They currently work for a Federal agency for which OPM maintains the personnel records.
  • They previously worked for a Federal agency for which OPM maintains the personnel records.
  • They worked for a Federal agency or organization that submitted to OPM service history documentation to support future retirement processing. While organizations across all branches of government must submit these records under certain conditions, organizations may also submit these for various reasons, at various times, at their discretion. Some of these reasons could include:
    • When an individual moves from one agency or organization to another.
    • When an individual separates from an organization.
    • When an individual retires from an organization.
    • When an organization has a change in payroll service center.
      • They currently work for a federal agency for which OPM maintains the personnel records.
      • They previously worked for a federal agency for which OPM maintains the personnel records.
      • They worked for a federal agency or organization that submitted to OPM service history documentation to support future retirement processing.  While organizations across all branches of government must submit these records under certain conditions, organizations may also submit these for various reasons, at various times, at their discretion.  Some of these reasons could include:
    • When an individual moves from one agency or organization to another.
    • When an individual separates from an organization.
    • When an individual retires from an organization.
    • When an organization has a change in payroll service center.
    • Starting on Monday, June 8th, OPM will begin notifying affected individuals.  The notification process is expected to last until Friday, June 19th.  Affected individuals should generally expect to receive an e-mail from OPM (the e-mail address will be ) which will contain enrollment information for credit monitoring and identity theft protection services from CSID, a company that specializes in identity theft and fraud protection.  OPM will be providing the CSID services for 18 months at no cost.  For impacted individuals with no e-mail address on record, OPM will send a letter though the U.S. mail.  The e-mail and letters will contain needed instructions and PIN codes in order to access the CSID identity protection services provided by OPM.
    • Also, starting at 8:00 a.m. CST on Monday, June 8th, individuals can visit the CSID web site at / or call toll-free 844-222-2743 (International callers may call 512-327-0700 collect) for additional information and further updates.
    • Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about you, your employees, your colleagues or any other internal information.  If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
    • Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
    • Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.  This includes following links sent in email.
    • Do not send sensitive information over the Internet before checking a website’s security (for more information, see Protecting Your Privacy, http://www.us-cert.gov/ncas/tips/ST04-013).
    • Pay attention to the URL of a website.  Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
    • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly.  Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.  Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).
    • Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (for more information, see Understanding Firewalls, http://www.us-cert.gov/ncas/tips/ST04-004; Understanding Anti-Virus Software, http://www.us-cert.gov/ncas/tips/ST04-005; and Reducing Spam, http://www.us-cert.gov/ncas/tips/ST04-007).
    • Take advantage of any anti-phishing features offered by your email client and web browser.
    • Employees should take steps to monitor their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at .
    • For additional information about preventative steps, consult the Federal Trade Commission’s website, .  The FTC also encourages those who discover that their information has been misused to file a complaint with the commission using the contact information below.

If you are unsure whether your organization submits related documentation to OPM to support future retirement processing, please contact your organization’s Human Resources Office.

How will I be notified if my data is affected?

OPM began conducting notifications to individuals whose personnel records were affected using email and/or USPS First Class mail on a rolling basis from June 8, 2015 through June 19, 2015. However, it may take several days beyond June 19 for a notification to arrive.

In the case of the incident involving background investigations information, the investigation is still ongoing, and we will notify affected individuals as soon as is practicable. As with any such event, it takes time to conduct a thorough investigation and to identify the affected individuals.

What information was compromised in the intrusion involving personnel records?

OPM maintains personnel records for the Federal workforce. The kind of data that may have been compromised includes your name, Social Security number, date and place of birth, and current and former addresses. It could include the type of information you would typically find in a personnel file, such as job assignments, training records, and benefit selection decisions. The notifications to potentially affected individuals will state exactly what information may have been compromised.

In the case of the incident involving background investigations information, the investigation is still ongoing, and we will notify affected individuals if their data was affected as soon as is practicable. As with any such event, it takes time to conduct a thorough investigation and to identify the affected individuals.

Was background clearance information was compromised?

During the investigation into the cyber intrusion of OPM that compromised personnel records (announced June 4), OPM, with its interagency partners, became aware of the possibility of a separate intrusion affecting a different set of OPM systems and data.

On June 8, as the investigation into the initial intrusion proceeded, the response team shared with relevant agencies that there was a high degree of confidence that OPM systems containing information related to the background investigations of current, former, and prospective Federal government employees, and those for whom a Federal background investigation was conducted, may have been compromised.

Since the investigation is ongoing, additional exposures may come to light. In that case, OPM will conduct additional notifications as necessary.

How many people were affected by both incidents? Do you have an estimate?

OPM is currently in the process of sending notifications to approximately 4 million current and former Federal civilian employees whose personally identifiable information (PII) may have been compromised in the incident impacting personnel records. It is important to note that this is an ongoing investigation that could reveal additional exposures. If that occurs, OPM will conduct additional notifications as necessary.

Were members of the military or contractors affected by either breach?

As of now, we do not believe the first incident involved personnel records of active military personnel. It did affect current and former Department of Defense civilian employees. Additionally, in the first incident, no contractors were affected unless they previously held Federal civilian positions.

However, since the investigation is ongoing, additional exposures may come to light; in that case, OPM will conduct additional notifications as necessary.

Are Federal retirees affected by either breach?

Some Federal retirees are affected by the incident involving personnel records announced on June 4 and they are among the approximately 4 million current and former Federal civilian employees receiving notifications. We have not yet determined the scope and impact of the separate incident involving background investigation data. Since the investigations into both incidents ongoing, additional exposures may come to light; in that case, OPM will conduct additional notifications as necessary.

Have the police been notified?

Since both incidents were identified, OPM has partnered with the U.S. Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT), and the Federal Bureau of Investigation (FBI) to investigate and determine the full impact to Federal personnel. Federal law enforcement agencies continue to investigate the matter and assist with remediation efforts. OPM immediately implemented additional security measures and will continue to improve security for the sensitive information it manages.

When did this happen?

OPM became aware of the intrusions into its systems in April (affecting personnel records) and May (affecting background investigations data) of 2015 after implementing tough new measures to deter and detect cyberattacks. The actual intrusions predated OPM’s discovery, but the precise timing is still a matter under investigation.

Was the data that was exfiltrated encrypted?

Though data encryption is a valuable protection method, today’s adversaries are sophisticated enough that encryption alone does not guarantee protection. OPM utilizes a number of different protection mechanisms for systems and data, and utilizes encryption when possible. However, due to the age of some of our legacy systems, data encryption isn’t always possible. In fact, encryption in this instance would not have protected the data.

Currently, we are increasing the types of methods utilized to encrypt our data. These methods include not only data at rest, but data in transit, and data displayed through masking or redaction. OPM’s IT security team is actively building new systems with technology that will allow the agency to not only better identify intrusions, but to encrypt even more of our data.

What systems were affected?

For security reasons, OPM cannot publicly discuss specifics of the systems that might be affected by the compromise of personnel data. Additionally, due to the ongoing investigation, it would be inappropriate to publicly provide information that may impact the current work by law enforcement. OPM has added additional security controls to better protect overall networks and systems and the data they store and process.

Why didn’t OPM tell affected individuals about the loss of the data sooner?

OPM became aware of the first intrusion in April 2015. OPM worked with US-CERT and the FBI as quickly as possible to assess the extent of the malicious activity and to identify the records that may have been compromised. In May 2015, through this investigation, OPM became aware of the potential compromise of data related to personnel records for current and former Federal employees. During the investigation into the cyber intrusion of OPM that compromised personnel records (announced June 4), OPM, with its interagency partners, became aware of the possibility of a separate intrusion affecting a different set of OPM systems and data involving background investigations.

As with any such event, it takes time to conduct a thorough investigation and to identify the affected individuals.

What is OPM doing to prevent this kind of loss from happening again?

We are committed to making this right and are investing the internal processes, tools, and resources to reduce the likelihood that this can happen again. Because cyber threats are evolving and pervasive, OPM is continuously working to identify and mitigate threats when they occur. OPM evaluates its IT security protocols on a continuous basis to make sure that sensitive data is protected to the greatest extent possible, across all networks where OPM data resides—including those managed by government partners and contractors.

What has OPM done to shore up its systems?

OPM has been making steady improvements in its cybersecurity posture over the past year. In February 2014, OPM Director Archuleta, in one of her first major initiatives as the Director of OPM, developed and approved an IT Strategic Plan to bolster OPM’s IT networks and databases and adopt state of the art security protocols.

This plan included upgrading Security Assessment and Authorization for several systems and implementing continuous monitoring to enhance the ability to identify and respond, in real time or near real time, to cyber threats.

Additional upgrades included the installation of more firewalls that allow us to filter network traffic; restricting remote access for network administrators and restricting network administration functions remotely; reviews of all connections to ensure that only legitimate business connections have access to the Internet; and deploying anti-malware software across the environment to protect and prevent the deployment or execution of cybercrime tools that could compromise out networks.

That undertaking resulted in OPM having tough new security measures in place by the spring of this year. That is the reason the agency was able to detect in April 2015 an intrusion that happened some time earlier. The agency immediately began working with relevant Federal agencies, DHS, and the FBI to investigate and mitigate the intrusion.

After the incidents were discovered, OPM also immediately implemented additional security measures and will continue to add protections for the sensitive information it manages.

Has the information been misused?

At this time, we have no evidence that there has been any use or attempted use of the information compromised in this incident. This is an ongoing investigation and OPM will continue to be vigilant to ensure that necessary security measures are in place to further strengthen and protect our networks, systems, and data.

What are the risks of identity theft with the information that was compromised?

Receiving a notice – email or letter – does not mean that the recipient is a victim of identity theft. OPM is recommending that people review their notices and the recommendations provided. In order to mitigate the risk of fraud and identity theft, we are offering credit monitoring service and identity theft insurance for 18 months. Every affected individual, regardless of whether or not they explicitly take action to enroll, will have $1 million of identity theft insurance and access to full-service identity restoration.

How long will it take to inform all the potential victims involved in the incidents?

OPM began conducting notifications to individuals whose personnel records were affected using email and/or USPS First Class mail on June 8, 2015 and will continue notifications on a rolling basis through June 19, 2015. It may take several days beyond June 19 for a notification to arrive by email or mail.

In the case of the incident involving background investigations information, the investigation is still ongoing, and we will notify affected individuals as soon as is practicable. As with any such event, it takes time to conduct a thorough investigation and to identify the affected individuals.

Who is responsible for this incident?

OPM does not assign attribution for cybercrimes. That question is best addressed by law enforcement agencies.

Can you say with confidence that the adversary is not currently in the system?

At this time, we have no indications that the actors remain in the OPM networks. The agency’s enhanced security measures not only enabled us to detect the intruder, but have allowed us to identify, isolate, and prevent even sophisticated actors who are using new techniques. It is also worth noting that the malicious activity that OPM found was latent; the intrusions occurred well before they were discovered by OPM.

However, this is an ongoing investigation and we are still getting new information on what occurred on OPM’s networks.

Can my family members also receive services if they are part of my file/records?

At this time, we have no evidence to suggest that family members of employees were affected by the breach of personnel data. Since the investigation relating to the breach of background investigation data is ongoing, additional exposures may come to light. In that case, OPM will conduct additional notifications as necessary.

May employees be granted duty time and use government telephones and computers to contact CSID to determine whether their employment information was accessed and to register for identify theft coverage?

OPM strongly encourages agencies to allow employees to contact CSID while on duty time. If an employee does not have Internet access, OPM strongly encourages agencies to work with those individuals, as appropriate, to provide them access.

What has been the operational or mission impact to OPM?

There has been no operational impact to OPM. The agency has continued to operate at full capacity since the incident occurred.

I haven’t gotten an email or a letter yet. Does this mean I am not affected?

For those individuals potentially affected by the incident announced on June 4 regarding personnel information, all notifications will be sent by June 19. Because of the volume of affected individuals, OPM is sending notifications on a rolling basis. Please note that while all emails and letters will be mailed by June 19 it may take several days beyond June 19 for notification to arrive.

Since the investigation is ongoing, additional exposures may come to light; in that case, OPM will conduct additional notifications as necessary.

I received an email from This email address is being protected from spambots. You need JavaScript enabled to view it. . Is this email from OPM, or is this a phishing scam?

OPM has contracted with a firm called CSID to help it send notifications as quickly as possible. For those individuals potentially affected by the incident involving personnel information, the emails will come from the sender “OPM CIO” from this address: This email address is being protected from spambots. You need JavaScript enabled to view it. .

If you get an email about the breach from a different address, it may be phishing, which is defined as a criminal effort to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. Do not click on any links or provide any personal information if you suspect an email is phishing.

In a valid email, there will be a link in the body of the email that takes you to www.csid.com/opm, where you will need to click the “Enroll Now” button and provide your information. When you enroll, you will be required to provide personal information to begin your credit monitoring services.

If you would like to confirm that the email you received is valid, contact your agency’s privacy officer. The government’s privacy officers have been provided information by OPM to help them validate the emails for you.

How will OPM contact me if I no longer work for the government? What if I have changed agencies once or multiple times in recent years?

For those individuals potentially affected by the incident involving personnel information (June 4 announcement) who have left the government, OPM will send you a notification via postal mail to the last address the agency has on file. OPM will verify this address with the National Change of Address (NCOA) service before mailing a letter.

If you have moved between agencies, OPM will send an email notification to your government email account for the agency at which you are currently employed. If your email address is unavailable, notification will be sent via postal mail.

Since the investigation is ongoing, additional exposures may come to light; in that case, OPM will conduct additional notifications as necessary.

What is OPM doing to make sure Federal employees are protected?

OPM is currently in the process of sending notifications to individuals whose personally identifiable information (PII) may have been compromised by the incident involving personnel records. Since the investigation is ongoing, additional exposures may come to light; in that case, OPM will conduct additional notifications as necessary.

In addition, OPM has been working with the leadership of affected Federal agencies to inform them to the fullest extent possible what data was compromised so that each affected Federal employee has the resources available to protect their interests.

In order to mitigate the risk of fraud and identity theft, OPM is offering credit report access, credit monitoring services, and identity theft insurance to potentially affected individuals, at no cost to them. The comprehensive, 18-month membership includes credit monitoring and $1 million in identity theft protection services.

Additionally, it is an important reminder that we discovered this incident as a result of OPM’s concerted and aggressive efforts to strengthen its cybersecurity capabilities and protect the security and integrity of the information entrusted to the agency. Accordingly, OPM has been working with the Department of Homeland Security and the Office of Management and Budget to determine what steps can be taken to accelerate already planned network and systems enhancements and institute the necessary tools to detect and mitigate emerging cyber threats.

I received a notification that my personally identifiable information may have been exposed, but it came from the Department of Homeland Security. Is this the same incident?

This is a separate incident involving Department of Homeland Security employees. Please refer to the DHS-specific cybersecurity intrusion page for more information: www.dhs.gov/intrusion.

I am undergoing a background investigation and have been asked to complete my SF-86 (or provide information pertaining to someone else’s background investigation) but understand that the systems that house OPM’s background investigations data have been compromised. Can I be assured that the data I submit is secure?

OPM remains committed to improving its security capabilities and has invested significant resources in implementing tools to strengthen its security barriers. Additionally, the Office of Management and Budget (OMB) has instructed Federal agencies to immediately take a number of steps to further protect Federal information and assets and improve the resilience of Federal networks.

OPM continues to process background investigations and is working closely with OMB, the Department of Homeland Security and other experts across the government to detect and thwart evolving and persistent threats.

Protecting the security and integrity of the information entrusted to OPM is central to our mission, and we will continue to keep you apprised as the investigation continues

=====================================================================

nteu banner

 

June 19, 2015

NTEU Receives New Information Regarding Data Breaches

NTEU is working aggressively to inform and protect our members in the wake of the Office of Personnel Management's (OPM) announcement that two cybersecurity breaches have compromised personally-identifiable information (PII) of current and former federal employees.

NTEU recognizes this situation is frustrating and frightening and believes the breaches are unacceptable and that the response has not been quick or detailed enough leaving employees in the dark and causing additional anxiety. NTEU is pressing for additional steps to be taken to protect employees.

Background

OPM first announced on June 4 that a database breach had compromised PII for approximately four million current and former federal employees. Then, on June 12, OPM announced an additional breach, one potentially affecting background investigation records.

In a briefing today, OPM said the second, likely more serious, breach was still under investigation. Details are not available as to which employees and other individuals were affected. As of today, no notifications have been sent to individuals affected in the second breach. OPM could not say when those notifications would begin. Since that information is not available, NTEU requested that all federal employees be given immediate access to credit monitoring and protection services. OPM is considering this request.

Earlier this week, NTEU National President Colleen M. Kelley spoke with Office of Management and Budget (OMB) leadership to reiterate the need for clearer and quicker information for the federal workforce, including asking for an extension of both the credit monitoring and identity theft protection services beyond the current 18 months. President Kelley also asked for coverage for any affected family members. She insisted OMB ensure agency heads are providing adequate duty time for employees to enroll in these services, as well as access to government computers. She reported problems with notifications, such as bad addresses and deleted notifications, and she will continue to share such issues with OPM and OMB. President Kelley also reiterated the request for blanket coverage for all federal employees.

NTEU Reaches Out to Congress

The union is urging lawmakers to help ensure that the personal information of federal employees and their family members is safeguarded. See what you can do. NTEU also submitted testimony to Congress on the breach.

OPM Posted New Information

OPM's web pages “Information About the Recent Cybersecurity Incident” and “Frequently Asked Questions” were updated late yesterday.

Information page: http://www.opm.gov/news/latest-news/announcements/
FAQ: http://www.opm.gov/news/latest-news/announcements/frequently-asked-questions/

OPM released new information on what personnel records were compromised in the breach reported on June 4. OPM now says that "any federal employee from across all branches of government whose organization submitted records to OPM for future retirement processing may have been compromised."

From OPM: “OPM is continuing to examine the data and systems that may have been compromised.  For example, we have confirmed that any Federal employee from across all branches of government whose organization submitted records to OPM for future retirement processing may have been compromised—even if their full personnel file is not stored on OPM’s system.  These individuals were included in OPM’s initial estimate of approximately 4 million individuals whose data may have been compromised and are currently being notified.  These records include service history records (such as the SF 2806), court orders, and other records and information that pertain to annuity calculations. The Personally Identifiable Information contained in these records includes name, Social Security numbers, dates of birth, and possibly other sensitive information.” View more OPM information on what was potentially compromised.

CSID Still Notifying Individuals

CSID, the private contractor assisting OPM in this situation, continues to notify affected individuals either by email or postal mail. OPM reported that the first round of notifications to individuals affected by the first breach should be complete today, June 19. Current employees are most likely to receive an email notification from CSID at their work email address. The CSID notification sender email address is This email address is being protected from spambots. You need JavaScript enabled to view it. .

Notices to employees without valid email addresses or whose agency email bounces back, and notices to former employees, are happening via postal delivery. Letters mailed today will be received next week. If an impacted individual does not receive a letter, he or she can call CSID to inquire about their status.

Please note: Getting a notice letter or email does not mean you are automatically enrolled in the credit monitoring services. Once affected individuals receive a notice, they must take action to contact CSID either by visiting the web site or calling the toll-free line to enroll. Also, any requests for PII will occur after individuals contact CSID. At no time, will affected individuals receive incoming calls or e-mails requesting or demanding PII information.

What to Expect When Calling CSID

The CSID toll-free number is 844-777-2743 (International callers can call 512-327-0705 collect).OPM advises that it is best for individuals to wait to receive a notice, which will include a PIN, before calling CSID or visiting the CSID web site at: http://www.csid.com/opm/.

Callers should be advised that:

  • There are several repeated messages on the toll-free line reiterating it is best to call only after receiving a notice. 
  • For callers who have received the notification email or letter, there are prompts to speak with an agent. 
  • Individuals who have not received a notice can now verify whether or not they have been affected.
    • Simply wait past the prompts (do not select 1 or 2) and then the caller will be connected to an operator who can verify whether the caller was affected (these individuals will need to provide the last four digits of their Social Security Number and verify their home address) before being given personalized PIN numbers.
  • Callers may experience wait times to be connected with a live operator.  

Get more information regarding what to expect when calling CSID.

Learn What You Should Do and Stay Informed

The union has a web page with news, helpful information and resources on steps you can take in the wake of the cyber breaches. Members have to log on to view the page.

data breach banner

=====================================================================

https://www.consumer.ftc.gov/articles/pdf-0009-taking-charge.pdf (At a minimum, if you don’t have time to review the full document, I suggest you read pages 6 and 7.)

http://krebsonsecurity.com/2014/03/are-credit-monitoring-services-worth-it/ (This article is worth a quick read, in my humble opinion.)

=====================================================================

                                                            

                                                                    June 18, 2015

M E M O R A N D U M

TO:      Chapter Presidents and Legislative Coordinators

RE:      Updated Information on OPM Data Breaches

SUMMARY:  Updated Information regarding the OPM personnel records breaches

The U.S. Office of Personnel Management’s (OPM) first announced on June 4, that a database breach had compromised Personally Identifiable Information (PII) for approximately four million current and former federal employees.  Then, on June 12, OPM announced an additional breach, one potentially affecting background investigation records.  As of today, there is no further information from OPM regarding this second, likely more serious breach, and no notifications have been sent to individuals affected in this breach.     

I want to assure you that NTEU is seeking additional information and responses from the Administration regarding both of these breaches.  I spoke with the Office of Management and Budget yesterday reiterating the need for clearer and quicker information for the federal workforce, including asking for an extension of both the credit monitoring and identity theft protection services beyond the current 18 months and to provide these services and coverage for any affected family members.  I also insisted OMB ensure agency heads are providing adequate duty time for employees to enroll in these services, as well as access to government computers.  I have also shared that some NTEU members have reported notification letters arriving at family member mailing addresses rather than at the employee’s home address, and asked for guidance for employees who deleted the CSID email, believing it to be a fake or malicious email (and who do not have access to their assigned PIN code).  I have also made it clear that employees must receive further detailed information and be notified without further delay concerning the June 12 reported breach of background investigation records.  I also recommended to OMB and OPM that if OPM cannot immediately identify and notify affected individuals, that the Administration should immediately provide blanket credit monitoring and identity theft protection services to all federal employees and their family members.

OPM’s website has been updated today regarding what personnel records were compromised as part of the June 4th reported breach.  OPM’s information states:

As part of our ongoing notification process, we are committed to providing the most up-to-date information to ensure affected individuals have the necessary resources and information available to protect their interests and security.  OPM is continuing to examine the data and systems that may have been compromised.  For example, we have confirmed that any Federal employee from across all branches of government whose organization submitted records to OPM for future retirement processing may have been compromised—even if their full personnel file is not stored on OPM’s system.  These individuals were included in OPM’s initial estimate of approximately 4 million individuals whose data may have been compromised and are currently being notified.  These records include service history records (such as the SF 2806), court orders, and other records and information that pertain to annuity calculations. The Personally Identifiable Information contained in these records includes name, Social Security numbers, dates of birth, and possibly other sensitive information.

Current and former Federal employees, from all branches of government may receive a notice if:

If you are unsure whether your organization submits related documentation to OPM to support future retirement processing, please contact your organization's Human Resources Office.

This information can be found as part of OPM’s posted FAQs at:   http://www.opm.gov/faqs/topic/cybersecurityinformation/

As indicated in earlier communications, OPM is using CSID, a private contractor, to assist OPM with responding to the June 4th reported incident.  CSID is in the process of transmitting individual notifications (either by e-mail or mailed letter) to all affected individuals from June 8th through 19.  Current employees are most likely to receive an e-mail notification from CSID at their work e-mail address.  The CSID notification sender e-mail address is This email address is being protected from spambots. You need JavaScript enabled to view it. .  Notices to employees without a valid e-mail address, or whose agency e-mail bounces back and is not deliverable, and notices to former employees are happening via postal delivery. 

The CSID toll-free number is 844-777-2743 (International callers can call 512-327-0705 collect).  OPM advises that it is best for individuals to wait to receive a notice, which will include a PIN, before calling CSID or visiting the CSID web site at: http://www.csid.com/opm/.

When affected individuals call the toll-free line CSID representatives initially will not ask for DOB or full Social Security Number (SSN), but will ask for the PIN and the last 4 digits of the SSN to help validate individual identities against the lists that they have. 

Callers should be advised that there are several repeated messages on the toll-free line reiterating holding off on calling before receiving a notice.  There are prompts for callers who have received the notification email or letter in order to speak with an agent.  However, individuals who have not received a notice can now verify whether or not they have been affected—simply wait past the prompts (do not select 1 or 2) and then the caller will be connected to an operator who can verify whether the caller was affected (these individuals will need to provide the last four digits of their Social Security Number and verify their home address) before being provided with their personalized PIN number.  Callers may experience wait times to be connected with a live operator.  

As a reminder, in order to enroll in the OPM/CSID-provided credit monitoring and identify theft protection services individuals will be required to provide PII—either via the toll-free line or via the CSID web site. 

It is important to remember that while affected individuals will receive a notice letter or e-mail, they must take action to contact CSID—either by visiting the web site or calling the toll-free line—before any request for PII occurs.  At no time, will they receive incoming calls or e-mails requesting or demanding PII information.   

            I will keep you up-to-date on any and all developments.  I recognize that this overall situation is frustrating, frightening, and unacceptable.     

Colleen M. Kelley

National President

========================================================================

nteu banner

 


Update on the OPM Data Breach

 

Steps You Can Take

- Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.

- Request a free credit report here or by calling 1-877-322-8228. Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax®, Experian®, and TransUnion® – for a total of three reports every year. Get contact information for the credit bureaus.

-Review resources provided on the Federal Trade Commission (FTC) identity theft website. The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.

-You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name. Call TransUnion® at 1-800-680-7289 to place this alert. TransUnion® will then notify the other two credit bureaus on your behalf.

Late yesterday, NTEU was briefed by the Office of Personnel Management (OPM) about a large cybersecurity breach potentially impacting 4 million current and former federal employees.

NTEU finds this data breach unacceptable. Information on the federal workforce and the personal information of employees deserves the highest level of protection. NTEU will work to ensure that level is reached quickly. This is a growing problem in the public and private sector and more must be done.

NTEU is currently requesting information about how employees in all NTEU-represented agencies may have been impacted and will continue to keep members informed of developments.

In order to mitigate the risk of fraud and identity theft, OPM is offering affected employees credit monitoring and identify theft insurance through a company called CSID®. The 18-month membership includes free credit monitoring and $1 million in identity theft protection services.

From June 8-19, OPM will be sending notifications to those individuals whose personally-identifiable information was potentially compromised in this incident. The email, which will come from
This email address is being protected from spambots. You need JavaScript enabled to view it. , will contain information about credit monitoring and identity theft protection services for federal employees impacted by the breach. OPM will mail letters to individuals for whom it does not have an email address on file.

A dedicated CSID website and phone number will be available for those who have questions beginning Monday (June 8) morning at 8 a.m. CT. The company’s website is www.csid.com/opm, and its toll free telephone number is 844-222-2743 (International callers: Call collect 512-327-0700).

NTEU encourages affected members to sign up for the credit monitoring as soon as possible, follow all advice such as placing fraud alerts with credit bureaus, and carefully monitor activity for evidence of fraud and identity theft.

Current and former employees should be aware of unscrupulous individuals trying to take advantage of the situation and be cautious if contacted by any other source.

NTEU is very concerned about the breach, especially with the growing threat of identity theft. The union will continue to urge OPM to share all available information as the situation develops, and will keep members informed.

 

“...to ensure that every federal employee is treated with dignity and respect.”

========================================================================

                                                              June 5, 2015

M E M O R A N D U M

TO:      Chapter Presidents and Legislative Coordinators

RE:      Update on OPM’s Announcement of Federal Employee Security Breach 

SUMMARY:  Updated information regarding the U.S. Office of Personnel Management’s announcement of a widespread data breach affecting four million current and former federal employees is discussed below.

As I promised in my memo to you yesterday regarding the Office of Personnel Management’s (OPM) announcement that a security database breach has compromised Personal Identifiable Information for approximately four million current and former federal employees, here is the latest information for individuals:

  

I will keep you updated on this fluid situation as more information becomes available.

Colleen M. Kelley

National President

========================================================================

From: *Secretary of the Treasury
Sent: Friday, June 05, 2015 9:14 AM
To: &&Employees All
Subject: Cybersecurity incident

Note: Some employees may have already received this message from Treasury Secretary Lew via email. We are resending for those who did not receive the message.

Dear Colleagues,

The U.S. Office of Personnel Management (OPM) recently became aware of a cybersecurity incident affecting its systems and data that may have exposed the personal information of current and former federal employees.  I have been informed by OPM that Treasury employee data has potentially been compromised in this incident and I wanted to share more information with you right away. 

Since the incident was identified, OPM has partnered with the Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) and the Federal Bureau of Investigation to determine the impact to federal personnel.  As a result of this investigation, OPM is notifying approximately 4 million individuals whose personally identifiable information may have been compromised.  The notifications will be sent beginning June 8 and continuing through June 19 by email and U.S. mail.

In order to mitigate the risk of fraud and identity theft, OPM will offer affected individuals credit monitoring services and identity theft insurance through CSID, a company that specializes in identity theft protection and fraud resolution.  This comprehensive, 18-month membership includes credit report access, credit monitoring, identity theft insurance, and recovery services, and is available immediately at no cost to affected individuals identified by OPM.  Employees whose information was affected will receive a notification directly from CSID.  If you have any questions about the impact of this incident to your data or if you receive a notice and have questions about the services being offered, contact CSID directly beginning at 8 a.m. CST on June 8, 2015.  The company’s website is www.csid.com/opm, and its toll free phone number is 844-222-2743 (International callers: call collect 512-327-0700).

Following this incident, OPM took immediate action to implement additional security measures in order to protect the sensitive personnel data it manages.  I would like to take the opportunity to remind you of the seriousness of cyber threats and of the importance of vigilance in protecting our systems and data.

Sincerely,

Jack Lew

Steps for Monitoring Your Identity and Financial Information

  • Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.
  • Request a free credit report at www.AnnualCreditReport.com or by calling 1-877-322-8228.  Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax®, Experian®, and TransUnion® – for a total of three reports every year.  Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) website, www.ftc.gov.
  • Review resources provided on the FTC identity theft website, www.Identitytheft.gov.  The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.
  • You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name.  Simply call TransUnion® at 1-800-680-7289 to place this alert.  TransUnion® will then notify the other two credit bureaus on your behalf.

 

Precautions to Help You Avoid Becoming a Victim

Identity Theft Clearinghouse

Federal Trade Commission

600 Pennsylvania Avenue, NW

Washington, DC 20580

www.consumer.gov/idtheft

1-877-IDTHEFT (438-4338)

TDD: 1-202-326-2502

====================================================================

From: *Commissioner Koskinen
Sent: Thursday, June 04, 2015 09:56 PM Eastern Standard Time
To: &&Employees All
Subject: Information about recent OPM cybersecurity incident
 

Late today, we learned about a data incident involving Office of Personnel Management records and federal employees. We are still reviewing the situation, but at this time we have reason to believe that most IRS employees may be unaffected by this data incident. Those employees whose federal employment has been solely with the IRS do not appear at this time to be affected since IRS personnel records are still in paper form and the affected records were electronic.

However, analysis of the situation will continue. You should have received an email from Treasury Secretary Lew notifying you of the incident. Those individuals whose personal information is at risk will also be notified directly by OPM by postal mail or via email. Current IRS employees directly affected may receive an email from
This email address is being protected from spambots. You need JavaScript enabled to view it. .


Employees with questions, however, can check IRWeb, which will be updated with more information as it becomes available. In addition, you may also visit the
OPM web site which has extensive details on the situation.

Please be assured our teams remain in touch with OPM, Treasury and NTEU, and we continue to closely monitor the situation for information affecting you and your colleagues.