Updates on OPM Cybersecurity Incident

OPM Data Breach: What NARFE Members Can Do

January 10, 2019

The Office of Personnel Management (OPM) awarded a new contract to ID Experts to continue providing a suite of identity protection services for more than 21 million current and former federal employees and contractors whose sensitive personal information was compromised in two egregious 2015 cyberattacks. The new contract began January 1, 2019, and will continue at least until June 2020 with a possible full period of performance of five years. According to OPM, those currently enrolled are not required to take any further action at this time, and coverage will continue uninterrupted at no cost. Further information is available on the OPM Cybersecurity Resource Center website.

Congress mandated that OPM provide victims with complimentary protections for 10 years. NARFE continues to push lawmakers to provide 2015 victims of the cyberattacks with lifetime identity protection services, as the threat of identity theft will not simply expire at the end of the 10-year mandate.

November 27, 2018

In the aftermath of two severe cyberattacks on records at the Office of Personnel Management (OPM) in 2015 that compromised the personal information of more than 21 million federal employees, retirees and contractors, OPM contracted ID Experts to provide victims with a suite of identity theft protection services. On December 31, 2018, the original three-year OPM contract with ID Experts expires. To abide by Congress’s mandate that OPM provide 10 years of identity protection services to affected individuals, roughly a month before the expiration, the agency announced it was beginning a rebid for the contract and would extend the services provided by ID Experts through June 30, 2019 to ensure no interruption of services for those already enrolled.

OPM’s failure to prepare for the contract expiration in advance renewed feelings of uncertainty and vulnerability for those affected. NARFE voiced its disappointment with OPM’s delayed action and called on the agency to provide victims with timely notification regarding their protection for the remaining years of complimentary services. NARFE reiterated its call to legislators to provide affected individuals with lifetime identity protection services, as the threat of identity theft will not expire with the end of the 10-year mandate set by Congress. Read a statement from NARFE National President Ken Thomas by clicking here.

January 20, 2016

OPM Has Completed Notification to Individuals Affected by Background Investigation Cyberattack

The Office of Personnel Management (OPM) informed NARFE this week that is has completed the initial notification mailing to more than 21 million individuals whose security clearance and background investigation records were compromised by a cyberattack against the agency in 2015.

As a result of the attack, the federal government is providing free credit monitoring services and identity theft insurance to affected individuals for a limited time. OPM acknowledged it is obligated under the budget law enacted in December 2015 to provide additional free credit monitoring services and identity theft insurance for at least 10 years to the victims of both the background investigation/security clearance attack and a separate attack on personnel data files. OPM said no decision has yet been made on how it will implement the additional protection.

December 16, 2015

OPM Posts Samples of Letters Sent to Those Seeking Verification

The Office of Personnel Management (OPM) announced this week it had posted, on its Cybersecurity Resource Center (https://www.opm.gov/cybersecurity), samples of letters that will be sent in response to individuals who contact OPM’s Verification Center because they either have not yet received a notification letter and believe they should have or did receive a letter but have lost the letter along with the Personal Identification Number assigned to them.

OPM said 93 percent of the 21.5 million affected individuals have been mailed notification letters, informing them their records were compromised in the background investigation/security clearance records breach and offering free credit monitoring and identity theft protection insurance.

The sample response letters available for viewing at https://www.opm.gov/cybersecurity/#Actions are those being sent to:

- Individuals whose fingerprints were compromised in the breach;
- Individuals whose fingerprints were not compromised; and
- In individuals whose records the Government determined were not compromised as a result of the cyberattack.

December 2, 2015

OPM Launches Online Verification Center

The U.S. Office of Personnel Management (OPM) has announced the launching of an online verification center to help individuals whose background investigation records were compromised as a result of the cyberattack on OPM’s data files earlier this year. Specifically, the new online program is designed for:

• Individuals who believe their data was stolen but who have not received a notification letter; and

• Individuals who have received a notification letter but who have lost the Personal Identification Number (PIN) that was included in the letter.

The online verification center is accessible 24 hours a day, seven days a week and will be available through December 2018. It can be accessed through the main OPM cybersecurity resource center, www.opm.gov/cybersecurity. As an alternative to accessing the verification center online, individuals also can call the verification center at 866-408-4555 between the hours of 9 a.m. and 9 p.m. Eastern Time, Monday through Friday.

October 30, 2015

OPM Adds Three New FAQs to Its Cybersecurity Website

While the background and security clearance data breach notices are being mailed, the Office of Personnel Management is collecting and publishing answers to frequently asked questions (FAQs) from affected individuals. Recently, it added three more of these FAQs to its Cybersecurity Resource Center website  https://www.opm.gov/cybersecurity/faqs. Learn how a current credit freeze may affect your ability to sign up for the services being offered, what to do if the PIN provided in your notice doesn’t work, and why your notice was addressed as it was.

October 9, 2015

When you’re impacted by a cyberattack, you want to know what you can do to protect yourself from future attacks. The federal government’s National Counterintelligence and Security Center provides good information to help you protect your personal information from being stolen by cyber criminals and foreign intelligence services.  The NCSC website at http://www.ncsc.gov/  has a section, entitled, “Know the Risk, Raise Your Shield,” which contains videos and other helpful resources. 

October 1, 2015

OPM Begins Mail-Only Notifications

The Office of Personnel Management (OPM) announced October 1 that notification letters are being sent, starting September 30, to those individuals whose personal information was stolen in the cyberattack on background investigations and security records at OPM. The announcement emphasized that official notifications from OPM will be mailed via the U.S. Postal Service and that email will not be used. The mailed notifications will contain a personalized identification number (PIN), which is necessary for the individual to enroll in the three years of identity theft protection and credit monitoring services being provided free of charge by the government.

OPM cautions that neither it nor anyone else acting on OPM’s behalf will directly contact individuals to confirm personal information. If you receive an email or a phone call, it is a scam.

OPM and the Department of Defense also are preparing to provide victims of the background investigation cyberattack with a website that will help users determine whether they’ve been affected by the hack.

OPM has updated its special website www.opm.gov/cybersecurity with additional information and answers to common questions.

September 23, 2015

OPM Now Says Fingerprints of 5.6 Million Individuals Were Stolen, Up From 1.1 Million

The Office of Personnel Management (OPM) today provided a new revelation in the investigation of the theft of highly sensitive security and background investigation files housed with that agency.

During its analysis of the impacted data, OPM announced, OPM and the Department of Defense discovered that the fingerprints of 5.6 million individuals have been stolen. Originally, OPM had reported that a total of 1.1 million individuals had their fingerprints stolen in the cyberattack of its files. While federal experts believe that, as of now, the ability to misuse fingerprint data is limited, this could change over time. In anticipation of future threats, an interagency working group is studying ways that fingerprint data could be used by unauthorized individuals and are seeking potential ways to prevent its misuse. As the group discovers new potentials for misuse, the government will provide additional information to affected individuals.The full press release can be found at https://www.opm.gov/news/releases/2015/09/cyber-statement-923.

 September 2, 2015

OPM Secures Contractor to Handle Background Breach Credit Monitoring

The Office of Personnel Management (OPM) and the Department of Defense September 1 announced Identity Theft Guard Solutions, doing business as ID Experts, has been awarded a contract to provide a full range of identity theft and credit monitoring services to the federal employees whose personal information was stolen from OPM’s background investigations database as a result of a cyber breach. ID Experts will provide three years of identity theft restoration and identity theft insurance to those affected by the breach, effective immediately. Notices to individuals affected by the background investigation data breach will begin going out by the end of September.  

Those individuals who were victims of the theft of personnel record information and who received notification from CSID in July also will receive a a notification from the U.S. Government if their background investigation records also were stolen. OPM will, at some time, be providing more information on its website about how that process will work. At this time, OPM’s cybersecurity website www.opm.gov/cybersecurity has the most recent information on both data thefts as well as an email address, cybersecurity@opm.gov, to answer additional questions

August 4, 2015

OPM Expects to Award Notification Contract in August; Additional Updates

NARFE today received the following updated information from officials of the Office of Personnel Management (OPM) with regard to the cybersecurity incidents:

• The Request for Quotation (RFQ) to contractors to provide notification to those affected by the breach of federal background investigations data, along with information regarding credit monitoring, identity restoration services and identity theft insurance, will go out this week (August 3-7).

• The contract will be awarded in mid-to-late August. Notifications to affected individuals are expected to go out soon after the contract is awarded.

• You can sign up now with OPM to receive email updates regarding the latest information here: https://www.opm.gov/cybersecurity/stay-informed/ .

• For more information from OPM, visit its cyberbreach page here: https://www.opm.gov/cybersecurity/ .

July 29, 2015

No Notifications Yet in Second Breach

It will be another month or more before individuals affected by the background and security clearance records breach at the Office of Personnel Management receive notices from the government with offers of free credit monitoring and identity theft protection. This is according to Federal News Radio, which cited a General Services Administration notice recently sent to vendors. To read the Federal News Radio report click on http://federalnewsradio.com/opm-cyber-breach/2015/07/gsa-delays-contract-services-protect-opm-hack-victims/.

July 28, 2015

FTC Issues Scam Alert for Victims of the OPM Data Breaches

As was predicted, unscrupulous con artists are attempting to take advantage of federal employees already devastated by the theft of their personal information. The Federal Trade Commission (FTC) issued an alert that imposters posing as FTC officials are calling federal employees with offers of money in exchange for personal identifying information. If you receive such a call, hang up. The FTC does not make calls asking for personal information. Read the alert in its entirety at: http://www.consumer.ftc.gov/blog/its-not-ftc-calling-about-opm-breach.

July 23, 2015

e-QIP Background Investigation Platform Resumes

The Office of Personnel Management announced today that the e-QIP Web-based platform used to complete and submit background investigation forms is back online and available to users. On June 29, OPM had announced it was suspending operations of e-QIP until security enhancements could be implemented. Here is OPM’s statement:

"The U.S. Office of Personnel Management (OPM) today began re-enabling user access to e-QIP, the system used to process background information forms.

"OPM recently initiated a comprehensive review of the security of its IT systems. During the ongoing review, OPM and its interagency partners identified a vulnerability in the e-QIP system, a web-based platform used to complete and submit background investigation forms. As a result, on June 26, 2015, OPM took the system offline for security enhancements.

"This action was not the direct result of malicious activity on this network, and there is no evidence that the vulnerability in question has been exploited. Rather, OPM took this step proactively, as a result of our comprehensive security assessment, to safeguard the ongoing security of the network.

"The system has been brought back online less than four weeks after being taken down, and OPM is working closely with agencies to re-enable e-QIP users incrementally in an effort to resume this service in an efficient and orderly way. This action is being taken after extensive testing of the system – both by OPM and its partner agencies – and consultation with key stakeholders.

"Anticipating the impact on both users and agencies, on July 2, 2015, OPM and the Office of the Director of National Intelligence announced interim procedures to allow agencies to proceed with the initiation of certain background investigations.

"During the time that the system was offline, OPM worked with cybersecurity experts from the Office of Management and Budget’s Office of e-Government and Information Technology, the Department of Homeland Security and other interagency partners to implement security enhancements. These improvements further enhanced password protections, secured the transmission of data within the application, and implemented additional protections against external threats. Based on the security enhancements and the extensive testing that has been completed, OPM is re-enabling access to e-QIP with confidence in the security of the system.

"OPM remains committed to protecting the safety and security of the information of Federal employees and contractors, and will continue efforts to further enhance the security of our systems."

July 17, 2015

Information Regarding OPM Contractor CSID

In response to NARFE’s concerns, the Office of Personnel Management (OPM) has provided the following information concerning CSID, its contractor handling the notifications to individuals affected by the data breach of personnel records, which was announced June 4.

Individuals are beginning to receive emails from CSID providing Identity Theft Insurance documents to those affected by the personnel records incident. These emails also indicate there is a premium of $0.27 per month for this insurance. There are concerns about whether these are legitimate emails or not and whether individuals are expected to pay the monthly premium. These are legitimate emails, but the individual is not paying the premium. According to New York State law and Minnesota State law, companies providing insurance coverage to an individual must provide a copy of the policy with the premium amount disclosed. The policy must be provided to the consumer in at exact format and CSID cannot alter the language. In the cases of those individuals affected by the personnel data breach, the individual is not paying the premium. CSID is paying the premium on their behalf and must disclose how much they are paying.

Some individuals have reported receiving phone calls purportedly from CSID, and there are concerns about whether these phone calls are legitimate. OPM has confirmed that CSID does not call individuals unless the individual has sent CSID an email or left CSID a voicemail requesting a call back. Any NARFE members who receive an unsolicited telephone call from someone saying they are from CSID should try to get the name of the caller and report it to NARFE’s Federal Benefits Service Department so it can be forwarded to OPM for further investigation.

July 16, 2015


On July 14, the Office of Personnel Management issued the following update on the cyber-security breaches, one involving its personnel data files and the other on its background investigation records.

 We shared last week that OPM launched a new, online incident resource center, located at https://www.opm.gov/cybersecurity to offer up-to-date information regarding the OPM incidents as well as to direct individuals to materials, training, and useful information on best practices to secure data, protect against identity theft, and stay safe online. We encourage you to use this resource to answer questions. If you have additional questions after reviewing the website, or suggestions for additional content, please email OPM at: cybersecurity@opm.gov

 Additionally, we wanted to share brief updates on both incidents:

  1. Personnel Records Incident: OPM has largely concluded notifications to individuals whose information may have been compromised by the incident involving personnel records. As we have previously mentioned, OPM is offering credit restoration and monitoring services, and other protections through CSID, a company that specializes in identity theft protection and fraud resolution. Please note that CSID is working on the personnel records incident only and will not have further information about the background investigations incident.
  • As a reminder, all affected employees are automatically enrolled in identify theft insurance and identity restoration services – which means that if your information was affected by the breach, you are already enrolled in these programs even if you have not yet contacted CSID
  • If you have NOT yet received your notification by email or mail (or may have deleted or lost the notification), or are wondering if your records were affected, we encourage you to call CSID at (844)-777-2743.
  1. Background Investigations Incident: In the coming weeks, OPM will begin sending notification letters to people whose Social Security Number appeared on files impacted by the background investigation records incident. OPM and the Department of Defense (DOD) will work with a private-sector firm specializing in credit and identity theft monitoring to provide services. Notifications to those affected by this incident have not yet begun.

July 14, 2015

OPM Improves FAQs

OPM has improved the answers to the Frequently Asked Questions section of its breach website: https://www.opm.gov/cybersecurity/#FAQs.

NARFE encourages you to take a look. If you have a question that is not answered, please email cybersecurity@opm.gov.

July 10, 2015

Statement of Richard G. Thissen, NARFE President, on the Resignation of OPM Director Archuleta

Following the unprecedented theft of more than 21 million Social Security numbers of federal and contractor employees, job applicants and spouses, as well as highly sensitive security clearance information, Richard G. Thissen, National Active and Retired Federal Employees Association President, released the following statement on the resignation of OPM Director Katherine Archuleta, and the appointment of Beth Cobert, deputy director for management at the Office of Management and Budget, as interim OPM Director:

“OPM needs a proven leader not only to ensure a breach of this magnitude never happens again, but also to provide adequate protection to those affected. The Administration’s first priority must be to protect federal employees, retirees and their loved ones impacted by the breaches. We hope Ms. Cobert heeds our request for lifetime protection. We also call upon her to improve communications between OPM and federal employees and retirees and the groups that represent them.

“NARFE is encouraged to know that Beth Cobert will be taking over the job as interim director. Ms. Cobert, who has been involved in the investigation of the cyberattacks, brings a wealth of management experience and a proven track record of improving performance.

“NARFE’s concerns that a resignation could leave a vacuum in leadership have been adequately addressed by this appointment. As Ms. Archuleta leaves her post amid this crisis, NARFE thanks her for her service to our country and for her efforts to improve cybersecurity at OPM. The failure of OPM to protect those who serve our nation as federal employees was decades in the making. Ms. Archuleta did her best to right the ship and deal with the fallout from the massive data thefts that occurred under her watch, the blame for which must, in fairness, be shared widely.”

July 9, 2015

OPM Provides New Details on Second Data Breach

Today, the Office of Personnel Management (OPM) and the Office of Management and Budget (OMB) provided new information regarding the data breach, originally announced June 12, affecting federal background investigation data held by OPM.

Statement of Richard G. Thissen, NARFE President:

“The magnitude of this breach is staggering. Systems should have been in place to prevent this from happening in the first place. However, now that we are in this situation, our government’s first priority must be protecting those affected. For these 21.5 million people, a lifetime’s worth of information was exposed; they deserve nothing less than a lifetime of protection. Three years is not enough and will not bring peace of mind to those awaiting official notification that they were impacted by this incident. As the Administration continues its search for a vendor to provide monitoring and protection services, NARFE urges it to not limit these protections to three years.

“It is past due that the Administration ensures a security breach of this nature never occurs within our government again. In the months since these breaches were discovered, our leaders have not acted quickly enough to protect the sensitive information provided by our nation’s federal employees, and their loved ones, as a requirement of their public service. The President must immediately appoint a task force of leading public and private IT experts to apply more forceful measures to protect federal personnel IT systems. Time is of the essence.”

Information was provided via a conference call with employee and retiree groups, including NARFE, and announced via press release. Here’s what we learned:

•    Sensitive information, including the Social Security numbers (SSNs) of 21.5 million individuals was stolen from background investigation databases. This includes 19.7 million individuals who applied for a background investigation, and 1.8 million nonapplicants, predominantly spouses or cohabitants of applicants.

•    If an individual underwent a background investigation through OPM in 2000 or afterwards (which occurs through the submission of forms SF 86, the Questionnaire for National Security Positions; SF 85, the Questionnaire for Non-Sensitive Positions; or SF 85P, the Questionnaire for Public Trust Positions, for a new investigation or periodic reinvestigation), it is highly likely that the individual is impacted by this cyberbreach. If an individual underwent a background investigation prior to 2000, that individual still may be impacted, but it is less likely. Any applicant whether a federal employee or contractor, hired or not, would have had his or her data exposed.

•    Information exposed includes extensive personal information of the applicant, as well as personally identifiable information (PII), notably Social Security numbers, for non-pplicant spouses or cohabitants. The type of information exposed includes: residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details. Some records also include findings from interviews conducted by background investigators and fingerprints. Usernames and passwords that background investigation applicants used to fill out background investigation forms via eQip also were stolen.

•    There is no evidence this data has been misused since the breach occurred.

•    There is no evidence that separate systems that store information regarding retirement, health, financial, or payroll of federal personnel were impacted (for example, annuity rolls, retirement records, USA JOBS, Employee Express).

•    OPM will be providing at least three years’ worth of protection services, including: full-service identity restoration support and victim recovery assistance, identity theft insurance, identity monitoring for minor children, continuous credit monitoring, and fraud monitoring services beyond credit files. OPM and OMB are in the process of contracting with a vendor.

•    Notifications to affected individuals will not be sent immediately. “In the coming weeks, OPM will begin to send notification packages to individuals with details on the incident and information on how to access” the protection services (emphasis added). OPM cited national concerns and the logistics of hiring a contractor to provide the services as reasons that notifications would be delayed. 

•    OPM will establish an online cybersecurity incident resource center at: www.opm.gov/cybersecurity.

•    OPM will establish a call center to respond to questions and provide information. Individuals will not be able to receive personalized information until notifications begin and the call center is opened. NARFE will publish the call center number when it is available. In the meantime, OPM will employ an automated recording to answer frequently asked questions.

•    As initially reported, 4.2 million individuals’ personnel records were affected in the first breach announced on June 4. This number has not changed.

The full OPM press release is available here.

As always, NARFE will update this website with any additional information we receive. If you have questions, please do not hesitate to contact NARFE’s Federal Benefits Service Department at fedbenefits@narfe.org or (703) 838-7760.

July 7, 2015

NARFE President Discusses OPM Breaches on TV News Program

On July 6, NARFE National President Richard G. Thissen discussed the OPM security breaches on “Government Matters,” a Sunday morning TV news program on WJLA (ABC 7) in Washington, DC.  For a link to the NARFE-related part of the program, click here.  

 July 2, 2015

NARFE Will Testify Before Congress July 8 on OPM Data Breach

Message from NARFE President Richard G. Thissen

“On Wednesday, July 8, NARFE will testify before the House of Representatives regarding the data breach at the Office of Personnel Management (OPM). Since I will be attending the joint National Executive Board - Federation Presidents Meeting in Reno, NV, NARFE Director of Federal Benefits Services David Snell will be the witness. Our Federal Benefits Service Department has been fielding NARFE members’ calls and emails on this situation, and I am confident Dave will do an excellent job presenting your concerns to Congress. For more information on the hearing, please click here.

“Many of you have asked me if NARFE will be joining the recently announced lawsuit against OPM, or initiating our own. On June 29, the American Federation of Government Employees (AFGE), along with two individuals, filed a class action lawsuit against OPM, two of its top officials and an agency contractor over the cyber theft of employees’ personal information, alleging that failure to heed warnings and obey security policies led to the data breaches and caused damages to those affected.

“The lawyers filing the suit seek to represent all individuals affected by the data breaches. AFGE is suing on behalf of its members. But the class would include the millions of current and federal employees and retirees whose data was exposed. Thus, NARFE members affected by the breach do not need to do anything to join the lawsuit. Assuming the court approves the class, the class attorneys will be appointed by the court to represent the interests of everyone affected.

“In responding to the data breach, NARFE considered all strategies. But we do not believe it best serves NARFE-member interests to become the lead plaintiff in a lawsuit against OPM. Doing so would limit NARFE’s ability to communicate and advocate on behalf of federal employees and retirees to members of Congress and the administration, because of the limits on outside communication required by court proceedings. For example, NARFE could be forced to decline to testify before Congress on data breach issues if it were in the midst of a lawsuit on the subject against OPM. It also would limit the Association’s ability to receive information from OPM unfiltered by legal counsel -- information that could be useful to NARFE members trying to cope with the consequences of the data breaches.

“While NARFE has made the decision not to join the lawsuit for the reasons explained, we support the lawsuit’s effort to provide remedies to those affected by the data breach and to ensure that steps are taken to prevent such data breaches from happening in the future.”

June 29, 2015        

NARFE President Meets With OPM Director on Data Breaches

Message from NARFE President Richard G. Thissen:

“NARFE and other organizations representing federal employees and retirees met today with Katherine Archuleta, director of the Office of Personnel Management (OPM), and Beth Cobert, deputy director of the Office of Management and Budget (OMB), to discuss the recent cybersecurity breaches at OPM and the agency’s plans going forward.

“Director Archuleta provided us with statistics on the response times of contractor CSID and what it is doing to ensure your calls are being answered in a timely manner. We were informed that a call-back feature has been added to CSID’s phone operations.

“OPM also shared with us the decision to shut down the E-QIP system – the Web-based platform used to complete and submit background investigation forms – for several weeks, possibly months, to review the program’s security. You can find more information on that decision here.

“Like you, I remain frustrated there are more questions than answers. Be assured that we have relayed all of your questions and concerns to OPM and OMB, and we are continuing to seek answers.

“OPM Director Archuleta told us her agency is committed to keeping us informed, and I expect these meetings to continue.

“We will continue to keep NARFE members updated on this issue every step of the way. Please do not hesitate to contact our Federal Benefits Service Department at fedbenefits@narfe.org or 703-838-7760 with any questions you have.”

June 25, 2015        

The Latest: OPM appears before Congress again. Federal groups coalesce around message.

This week, OPM Director Katherine Archuleta appeared before Congress three times. You can watch the hearing before the Senate Appropriations Financial Services and General Government Subcommittee here, the hearing before the House Oversight and Government Reform Committee here, and the Senate Homeland Security and Governmental Affairs hearing here.

The Federal-Postal Coalition, which is chaired by NARFE Legislative Counsel Alan Lopatin, sent a letter to President Obama today expressing disappointment with communication surrounding the breaches and asked for swift action to be taken to protect highly personal data. You can read the letter here.

June 24, 2015        

The Latest: OPM Updates FAQ Webpage, Archuleta Appears Before Congress, Notifications Are Still on Their Way, NARFE Counsel Appears on Fox Business News

On June 23, the Office of Personnel Management (OPM) updated its Frequently Asked Questions page regarding the two security breaches at the agency. Additionally, OPM released a Cybersecurity Action Report regarding steps OPM has taken to protect security up until this point and its plans moving forward.

In hearings on Capitol Hill this week, OPM Director Katherine Archuleta reiterated that 4.2 million individuals were affected by the breach of employment records, which was announced on June 4. Those affected should have received an email or letter postmarked by June 19. Because many of the letters were sent on June 19, it is possible that some affected individuals have not yet received the notifications.

With regard to the second breach, which possibly exposed security clearance information, Archuleta commented media reports claiming 18 million individuals are affected are unsubstantiated, but she would not provide a figure because the investigation is ongoing. It may be greater than 18 million. As the investigation is continuing, individuals affected in this incident have not yet been notified, and Archuleta would not specify by when they would receive notice.

NARFE was asked by Fox Business News to discuss the reaction of NARFE members to the breaches and steps those affected should take to protect their identity and financial security. NARFE’s Legislative Counsel Alan Lopatin appeared on Fox Business News on June 23. You can watch the interview here.

June 19, 2015

OPM Provides NARFE With Update, More Information Needed

Message from NARFE President Richard G. Thissen

“I understand and share the frustration of NARFE members regarding the data breaches at OPM. We are working hard to get answers to your questions, but information isn’t as forthcoming as we’d like. We are continuing to push for answers, even if that push isn’t public.

“Today, NARFE and other organizations representing the federal community participated in a conference call with officials at the Office of Personnel Management (OPM). I’d like to pass on two items of note:

1.    Information released on June 4 as it relates to the first data breach has remained mostly unchanged, although the scope may be larger than initially thought. For instance, some current and former congressional staffers are impacted, while it was initially reported they were not. If you received an email or letter from OPM, it relates to this incident. If you haven’t gotten a letter, they are still being sent today, and it could arrive next week.

2.    Information regarding the second breach, which was announced on June 12, is largely unknown or classified. The extent of the breach is unknown. Many news outlets have reported a total of 14 million individuals are affected by the two breaches. This number is unsubstantiated. We do not yet know if retirement records were involved in this breach.”

OPM updated its Frequently Asked Questions webpage on June 18. Many of the questions NARFE posed in its letter to OPM Director Katherine Archuleta are not answered on this page.

NARFE will continue to update this website as information becomes available. If you have questions, please contact NARFE’s Federal Benefits Service Department at fedbenefits@narfe.org or 703-838-7760.

June 17, 2015

NARFE President Seeks Answers From OPM Director Archuleta

NARFE President Richard G. Thissen today sent a letter to Katherine Archuleta, director of the Office of Personnel Management (OPM), seeking answers to specific questions being asked by NARFE members regarding the data breaches at OPM. Thissen took the action following Archuleta’s appearance at a June 16 congressional hearing at which she declined to provide any new information on the two breaches. Thissen told Archuleta that the questions had been posed by NARFE to her staff, had been acknowledged as having been received, but had not been answered. He also noted there has been no recent update on the hacking incidents on the OPM website. NARFE’s president also asked Archuleta to increase the credit monitoring and fraud insurance assistance currently being offered to individuals affected by the breaches.

To read NARFE’s letter to Archuleta, please click here.    

June 17, 2015

House Committee Hearing Probes OPM Incidents

The House Committee on Oversight and Government Reform held a hearing Tuesday, June 16, on the recent cyberattacks against the Office of Personnel Management (OPM). OPM Director Katherine Archuleta and OPM’s Chief Information Officer Donna Seymour were among the key witnesses who testified at the hearing.

During the hearing, it was revealed that the agency’s Inspector General’s office had recommended that OPM consider shutting down a number of major systems found to be operating without meeting basic security standards. Archuleta’s response was that the recommendations had come “after the adversaries were already in our network” and that some of OPM’s databases were too old to successfully encrypt data. Archuleta continued to emphasize that OPM is working hard to upgrade security for the agency’s systems.

During the hearing, Archuleta did not answer questions from committee members regarding what information was contained in the hacked databases or whose data had been compromised. Instead, she responded by saying more information would be revealed in a classified briefing, which was held later that day and not open to the public.

If you would like to watch the public hearing in its entirety, please click here.  

June 15, 2015

Additional Databases at OPM May Have Been Compromised

On June 12, NARFE  learned that additional databases and personal information may have been breached at the Office of Personnel Management (OPM).

NARFE remains deeply concerned that information regarding this incident is scarce, leading to much speculation. We call on OPM to keep federal employees, former employees and retirees better informed moving forward. The lack of information is causing understandable alarm in the federal community. As more information becomes available, we will update this page.

The following is an update sent to agency heads from the Office of Management and Budget (OMB).

I am writing to provide you an update on the ongoing investigation into the cyber intrusion at the U.S. Office of Personnel Management (OPM) announced on June 4th.  OPM has recently discovered that additional systems were compromised. These systems included those that contain information related to the background investigations of current, former, and prospective Federal government employees, as well as other individuals for whom a Federal background investigation was conducted.

This separate incident – like the one that was announced on June 4th affecting personnel information of current and former federal employees – was discovered as a result of OPM’s aggressive efforts to update its cybersecurity posture, adding numerous tools and capabilities to its network.  

OPM, the Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI) are working as part of this ongoing investigation to determine the number of people affected by this separate intrusion. OPM will notify those individuals whose information may have been compromised as soon as practicable. You will be updated when we have more information on how and when these notifications will occur.  

OPM remains committed to improving its security capabilities and has invested significant resources in implementing tools to strengthen its security barriers. Additionally, the Office of Management and Budget (OMB) has instructed Federal agencies to immediately take a number of steps to further protect Federal information and assets and improve the resilience of Federal networks. We are working closely with OMB, DHS and other experts across the government in these efforts to detect and thwart evolving and persistent threats.

As we have recently shared with you, the following are some key reminders of the seriousness of cyber threats and of the importance of vigilance in protecting our systems and data.

Steps for Monitoring Your Identity and Financial Information

•    Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.

•    Request a free credit report at www.AnnualCreditReport.com or by calling 1-877-322-8228.  Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax®, Experian®, and TransUnion® – for a total of three reports every year.  Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) website, www.ftc.gov.
•    Review resources provided on the FTC identity theft website, www.Identitytheft.gov.  The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.
•    You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name.  Simply call TransUnion® at 1-800-680-7289 to place this alert.  TransUnion® will then notify the other two credit bureaus on your behalf.

Precautions to Help You Avoid Becoming a Victim

•    Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about you, your employees, your colleagues or any other internal information.  If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
•    Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
•    Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
•    Do not send sensitive information over the Internet before checking a website’s security (for more information, see Protecting Your Privacy, http://www.us-cert.gov/ncas/tips/ST04-013).
•    Pay attention to the URL of a website.  Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
•    If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly.  Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.  Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).
•    Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (for more information, see Understanding Firewalls, http://www.us-cert.gov/ncas/tips/ST04-004; Understanding Anti-Virus Software, http://www.us-cert.gov/ncas/tips/ST04-005; and Reducing Spam, http://www.us-cert.gov/ncas/tips/ST04-007).
•    Take advantage of any anti-phishing features offered by your email client and web browser.
•     Employees should take steps to monitor their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov.
•    Additional information about preventative steps by consulting the Federal Trade Commission’s website, www.consumer.gov/idtheft. The FTC also encourages those who discover that their information has been misused to file a complaint with the commission using the contact information below.

Identity Theft Clearinghouse
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
1-877-IDTHEFT (438-4338)
TDD: 1-202-326-2502

June 12, 2015

NARFE Seeks OPM Response on Extent of Breach

Note: This post has been updated

A statement by NARFE President Richard G. Thissen:“This evening, it was widely reported that the extent of the security breach within the Office of Personnel Management (OPM) may be much greater than initially reported.

“NARFE implores OPM to speak directly to the media reports. Misinformation and speculation at this point only serves to illicit fear among those affected and possibly affected. It is incumbent upon OPM to provide additional information as soon as possible.

“The federal community is entitled to know the extent of the breach in order for federal employees, former employees, retirees and their family members to take the proper precautions to protect themselves.

“We will continue to update this page with more information as it becomes available.”

OPM released the following statement this evening:

The cyber intrusion announced last week affecting personnel records for approximately 4 million current and former federal employees was discovered through enhanced monitoring and detection systems that OPM implemented as part of an aggressive effort in recent months to strengthen our cybersecurity capabilities. Upon detecting that intrusion, OPM launched an investigation – in partnership with the Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) and the FBI – to determine its full scope and impact. On June 8, as the investigation proceeded, the incident response team shared with relevant agencies that there was a high degree of confidence that OPM systems containing information related to the background investigations of current, former, and prospective Federal government employees, and those for whom a federal background investigation was conducted, may have been exfiltrated.

OPM continues to work with US-CERT and the FBI to determine the type of records that may have been compromised and the population of individuals affected. OPM takes very seriously its responsibility to protect the sensitive data we manage. Once we have conclusive information about the breach, we will announce a notification plan for individuals whose information is determined to have been compromised.

OPM remains committed to improving its security capabilities and has invested significant resources in implementing tools that have not only strengthened our security barriers to outside threats, but have also enabled us to detect and thwart our constantly evolving cyber adversaries.

June 10, 2015

OPM Guidance for Federal Employees on Signing Up for Credit Monitoring Services

The Office of Personnel Management (OPM) provided NARFE with the following update for federal employees affected by the OPM data breach:

Agency privacy officers should have the list of affected employees. Email and postal notifications will both come from CSID, the private contractor that is assisting OPM with the incident response. It is best for individuals to wait to receive their notice, which will include a PIN, before calling CSID or visiting the website http://www.csid.com/opm/. The notices will be sent to nearly everyone (employees) via email, which will come from opmcio@csid.com.  Because of the volume of notifications, OPM cannot be sure when everyone will receive their email notice. Notices to employees without a valid email address will happen via postal delivery over the next two weeks. (Note: OPM is working on the issue for DoDEA teachers.)
At this point CSID only has the names of affected individuals, the PIN that is included in their notices and the last four digits of the employees’ Social Security number (SSN). When affected individuals call CSID or visit the website, CSID initially will not ask for date of birth or full SSN, but will ask for the PIN or the last four digits of the SSN to help validate individual identities against the lists that they have.  
It is important to understand that once an affected individual has been validated against the CSID list, if they choose to enroll in CSID services they will have to provide personally identifiable information, just as they would when applying for a credit card or a bank loan. OPM strongly encourages agencies to allow employees to reach out to CSID while on duty time. If an employee does not have Internet access, OPM strongly encourages agencies to work with those individuals, as appropriate, to provide them access.  
OPM knows that some employees have already begun calling CSID, but advises that it is best to wait until after being contacted by opmcio@csid.com or via postal delivery.  For more information, please visit:  https://www.opm.gov/news/latest-news/announcements/frequently-asked-questions/.

June 9, 2015

NARFE is continuing to keep in close communication with the Office of Personnel Management (OPM), the Office of Management and Budget (OMB) and the administration regarding the data breach of employment records at OPM.

OPM has released and continues to update a Frequently Asked Questions page on its website. You should check this page first for answers to your questions.

Additionally, here is some information NARFE would like to share with federal employees and retirees wondering if they are affected with this incident. The answers to these questions were provided by OPM and OMB via a conference call June 8 with NARFE and other federal employee and retiree organizations.

Who’s affected?

One million federal retirees and three million current and separated federal employees had their personnel data exposed in this incident.

How will I know if I was affected?

If your data was exposed, you will receive a notification, including what information was compromised, via either an email message or a letter sent through the U.S. Postal Service. These messages/letters will be sent between June 8 and 19. The email will come from opmcio@csid.com. You will not receive a phone call and should never provide any personally identifiable information over the phone. Neither OPM nor any representative of OPM will initiate contact and ask for personally identifiable information, such as Social Security Number, date of birth or place of birth.

What about information regarding my family members? Are they impacted?

Family members of employees were not affected by this breach.

How were retirees affected if the retirement records were not breached?

In this incident, employment data was breached. OPM retains employment data after an employee has retired and, therefore, one million federal retirees were affected. We cannot stress enough that retirement records maintained by OPM’s Retirement Services division, were not breached.

What personal information was compromised? (This answer is taken from OPM’s website)

OPM maintains personnel records for the federal workforce.  The kind of data that may have been compromised in this incident could include name, Social Security number, date and place of birth, and current and former addresses. It is the type of information you would typically find in a personnel file, such as job assignments, training records and benefit selection decisions, but not the names of family members or beneficiaries and not information contained in actual policies. The notifications to potentially affected individuals will state exactly what information may have been compromised.

I work/used to work for the U.S. Postal Service. Was my information accessed?

If you worked ONLY for the U.S. Postal Service (USPS) during your federal career, your information was not compromised. However, if you had other federal service in addition to your time with USPS, it is possible your information was accessed. If your information was accessed, you will be notified as explained above.

I tried to sign up for credit monitoring but was unable to do so. Why?

Only those affected by the breach and are notified are able to sign up for free credit monitoring. NARFE advises federal employees and retirees to sign up for this service if they receive notification that their information was compromised.

How do individuals enroll in the OPM-provided CSID services?

A PIN code will be provided by email/letter. Personnel will need this PIN code to register for the credit monitoring. The PIN will help an individual access the CSID website, which will provide information on whether the employee has been impacted and information for registering for the identify theft coverage. Individuals may contact the CSID call center by calling toll-free 844-222-2743 (International callers: call collect 512-327-0700).

However, as of right now, the phone number above only provides a recording. The option to speak to a live person is not available at this time.

What can I do while I wait to receive notification?

1. Monitor your financial account statements and immediately report any suspicious or unusual activity to financial institutions.
2. Request a free credit report here or by calling 1-877-322-8228. 
3. Get educated about computer intrusions and identity theft.

4. Consider placing a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name. Call TransUnion® at 1-800-680-7289 to place this alert.

I have a question that wasn’t answered here. Whom should I contact?

You can contact NARFE’s Federal Benefits Service Department at 703-838-7760 or fedbenefits@narfe.org.

 Originally released on June 5, 2015; updated June 9, 2015

Statement of NARFE President Richard G. Thissen Following the OPM Security Breach

“Last evening, I was informed directly by an official of the Office of Personnel Management (OPM) that the personnel records, including personally identifiable information (PII), of four million current and former federal employees were exposed to a cyberattack. NARFE is staying in close contact with OPM and the administration as they determine the extent of the data breach.

“I want to stress that we were told by OPM that retirement records, including those of spouses and survivors, were not compromised in this breach. The data accessed by the hackers was employment data. However, some of the individuals affected may no longer be employed by the federal government, whether they retired or left federal service. Approximately one million federal retirees are affected by this incident, and they will be receiving notification letters by email or postal service over the next two weeks.

“According to OPM, the following notification process will take place:

‘Beginning June 8 and continuing through June 19, OPM will be sending notifications to approximately 4 million individuals whose Personally Identifiable Information was potentially compromised in this incident. The email will come from opmcio@csid.com and it will contain information regarding credit monitoring and identity theft protection services being provided to those Federal employees impacted by the data breach. In the event OPM does not have an email address for the individual on file, a standard letter will be sent via the U.S. Postal Service.’

“I urge any NARFE members affected by this incident to take advantage of OPM’s offer of credit monitoring and identity theft protection services.

“NARFE will continue to keep its members informed regarding this incident. For the most up-to-date information, visit http://www.csid.com/opm/. Should NARFE members have any questions, they may contact NARFE’s Federal Benefits Service Department at (703) 838-7760 or fedbenefits@narfe.org.”

Following is the information issued by OPM in its entirety:

Information About the Recent Cybersecurity Incident

The U.S. Office of Personnel Management (OPM) recently became aware of a cybersecurity incident affecting its systems and data that may have compromised the personal information of current and former Federal employees.

Within the last year, OPM has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks. As a result, in April 2015, OPM became aware of the incident affecting its information technology (IT) systems and data that predated the adoption of these security controls.

Since the incident was identified, OPM has partnered with the U.S. Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT), and the Federal Bureau of Investigation to determine the impact to Federal personnel.  And OPM immediately implemented additional security measures to protect the sensitive information it manages.

Beginning June 8 and continuing through June 19, OPM will be sending notifications to approximately 4 million individuals whose Personally Identifiable Information was potentially compromised in this incident.  The email will come from opmcio@csid.com and it will contain information regarding credit monitoring and identity theft protection services being provided to those Federal employees impacted by the data breach. In the event OPM does not have an email addre