ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

The OPM Data Breach – What To Do Now and In the Future to Protect Ourselves

Updated on January 9, 2018
tamarawilhite profile image

Tamara Wilhite is a technical writer, an industrial engineer, a mother of two, and a published sci-fi and horror author.

Background on the Office of Personnel Management Data Breach

The initially reported OPM data breach reported in June, 2015 includes all individuals who are currently federal employees, are retired federal employees, serve in the military. The later announcements expanded the number of people affected to include everyone who has an active security clearance, has held a security clearance held in the past few years or applied for one and filled out an SF86 form.

That means that if you have worked for the government in a civilian or military capacity, the Chinese have your personally identifiable information, plus all the incriminating personal information on your SF 86 form.

Furthermore, if you work for a defense contractor like Lockheed Martin or Boeing and have held a security clearance from the confidential to top secret level, the Chinese have all of your personally identifiable information and any incriminating information in your SF 86 form.

What You Can Personally Do About the Federal Records Data Breach

The OPM sent messages to the roughly four million people whose personally identifiable information was hacked from 6/4/15 to 6/19/15, due to malicious software that was discovered by a third party IT security tool demonstration.

You can go to the site or call 1-844-222-2743 to sign up for the CSID protector plus plan for 18 months.

Whether biometrics or a SecurID key fob, access controls other than a User ID and password must be in place to protect access to PII.
Whether biometrics or a SecurID key fob, access controls other than a User ID and password must be in place to protect access to PII. | Source

What If I Didn't Get an Email from CSID on the Data Breach?

Unfortunately, many people were sent this message as part of a mass message, and it then landed in their spam folders. Check your spam folder if you haven’t seen the message, as well as older email accounts, if the email address in your SF86 form or security paperwork is several years old.

If the OPM did not have an email address for the person, a physical letter was sent via USPS. One fluke of these letters that I personally experienced is that they do not always use the correct combination of name and address. In my case, I received the letter at my current address but with my maiden name. Many people did not receive the letter because it was sent to an old address and never forwarded or thrown out because it was not addressed to the current resident.

You cannot expect a government that doesn't protect its workers' data with the basic security measures to help you. Take proactive steps to protect yourself.
You cannot expect a government that doesn't protect its workers' data with the basic security measures to help you. Take proactive steps to protect yourself. | Source

What You Can Personally Do to Protect Yourself after the OPM Data Breach

Monitor your financial reports for suspicious activity. Check the credit reports for spouses whose Social Security Numbers were included on the SF86 form.

Request a free credit report at or call 1-877-322-8228 to request one.

You can put a fraud alert on your credit record by calling Transunion at 1-800-680-7289; Transunion will relay the alert to the other credit reporting agencies

Be careful of suspicious phone calls, visits or emails. Never simply reply to an email except from the CSID about the data breach.

Don’t provide information about your company, even if the message appears to come from your company. Many defense contractors are using internet websites to discuss what to do about the Office of Personnel Management data breach, not sending messages to their employees’ personal email accounts.

Double check the URL you are using when signing up for a credit report, reporting identity theft and checking your credit score.

Sign up for identity theft protection services like Zander Insurance. This is an option for those whose information was stolen in the U.S. Office of Personnel Management data breach, as long as you don’t have clear evidence that identity theft is already occurring. If someone has already started opening credit cards in your name, it is too late to get identity theft protection.

You can also request a credit freeze or security freeze, which makes it very difficult for someone to open a new account in your name. This won’t prevent you from requesting your free annual credit report but could add to the work load when you apply for a job that runs a credit check, open new utility accounts, submit an application to rent an apartment and get a credit check run in the process. In these cases, you’ll need to contact the credit reporting agency to temporarily lift the freeze, each time giving the PIN number that you received when the account was frozen.

What If You Think Your Identity Is Already Compromised per the OPM Data Breach?

The government is advising people to report suspected identity theft to the FBI internet crime complaint center at

If you have an active security clearance, also report suspected identity theft to the security contact of the program you are working on.

Consider putting a fraud alert on your credit report. Requesting a fraud alert with one credit reporting company will eventually get the other credit reporting agencies to place the fraud alert on their reports as well. You can also contact all three credit reporting agencies to put a fraud alert on your credit report, so that the protective measure is in place faster.

What We Can Do Long Term About the Data Breach?

First and foremost, require that all IT work for the government be done by American citizens resident in the United States. The U.S. Office of Personnel Management data breach was most likely the result of Chinese contractors working for the government on contract. IT service outsourcing should be limited to businesses and personnel located in the US with American citizenship to reduce the risk that those with access to our most sensitive information are not beholden to a foreign government. This applies to outsourcing by companies like CSC to Indian and European tech support, Tata Consultancy and any firm using HB-1 visa holders.

There is no STEM shortage preventing companies from finding qualified Americans to do this work. That is only an excuse for companies to lay off mid-career Americans and bring in foreign workers, as well as outsource to foreign firms that have lower labor costs.

Second, we can require the government to follow its own polices and best practices. The database with personally identifiable information should have been encrypted and access controlled via multi-factor authentication. It wasn’t, which made it that much easier to be accessed and potentially misused.

Third, the federal government needs to stop playing the dance of the lemons. When the Obamacare website rollout was a disaster, the IRS still hired them for a four and a half million dollar new contract in 2014. When data breaches, unlawful snooping of records and other massive failures occur, those responsible for the breach and their management should be terminated, banned from ever holding another position with the federal government again. Instead, they get demoted and shuffled off to a different job. For companies with a track record of failure like CGI, the company should be blacklisted from federal work and removed from existing contracts as quickly as possible.


This website uses cookies

As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

Show Details
HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
LoginThis is necessary to sign in to the HubPages Service.
Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
AkismetThis is used to detect comment spam. (Privacy Policy)
HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
MavenThis supports the Maven widget and search functionality. (Privacy Policy)
Google AdSenseThis is an ad network. (Privacy Policy)
Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
Index ExchangeThis is an ad network. (Privacy Policy)
SovrnThis is an ad network. (Privacy Policy)
Facebook AdsThis is an ad network. (Privacy Policy)
Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
AppNexusThis is an ad network. (Privacy Policy)
OpenxThis is an ad network. (Privacy Policy)
Rubicon ProjectThis is an ad network. (Privacy Policy)
TripleLiftThis is an ad network. (Privacy Policy)
Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
ClickscoThis is a data management platform studying reader behavior (Privacy Policy)