For many of us, 21.5 million is a number that has become all too familiar. 
It represents the wide swath of people whose background investigation data was stolen in a massive hack against the Office of Personnel Management. Victims include current, former, and prospective government employees and contractors, their spouses and children.
Many individuals who were impacted have not yet received official word from OPM. As of Nov. 4, OPM mailed about 5.5 million notification letters to affected individuals. The hack was discovered in late May and is one of two recently discovered breaches targeting OPM systems and data. (Read this story for a quick recap)
“The government began mailing notifications to individuals in late September,” according to ID Experts, which was awarded a contract to provide credit monitoring, identity monitoring, identity theft insurance and identity restoration services for the 21.5 million impacted individuals. “We estimate that notifications will continue to be made over a period of 12 weeks through the beginning of December. If you believe you should receive a letter and have not received it yet, please be patient.”
By now, I’m sure you’ve been directed to OPM’s page of FAQs, or the agency’s automated message line (866-740-7153) to hear about the incident. I do suggest checking it out if you haven’t already. You can also sign up for regular updates here.
My goal here is to provide other helpful tips and share some insight on what you can expect if you are notified that your data was stolen. To be clear, my focus is on the second data breach that specifically targeted background investigation data.
The Notification Letter. If you were in fact affected by the background investigation breach, you will receive a letter from OPM in the mail that briefly explains what happened and how to enroll in additional credit monitoring and identity services provided by ID Experts. Check out this example of what your letter will look like here. You may have heard that 1.1 million fingerprints were also stolen in the background investigations breach. If your fingerprints were stolen your letter will look like this.
Coverage for your spouse/co-habitant. Of the 21.5 million individuals affected by the background investigation data breach, 1.8 million were non-applicants, mainly spouses or co-habitants of applicants. If your spouse/co-habitant is included in that number, then he or she will receive the same coverage being offered to you, according to OPM. A separate letter will be mailed to your spouse/co-habitant, with a PIN number. I know this has caused some confusion for people who are wondering if their spouse will be covered.
If you suspect that your spouse was impacted, but he or she does not receive a letter with a PIN by early December, there will be a mechanism for you to report your concerns. According to OPM, “the government is working to set up a resource to assist individuals who have either lost their PIN code or believe their data may be impacted but have not yet received a notification letter.” Updates on how to access that resource will be posted on OPM.gov/cybersecurity, or you will receive a notice automatically if you signed up for the email updates. (Update: that website has been established. Read all the details here.)
Enrolling online for additional services. I highly recommend enrolling online if you are going to take advantage of the additional credit and identity monitoring services. It only takes a couple of minutes. You have to provide basic information about yourself, including name and address.
You will have to provide your full Social Security number to enroll in the additional services. I know this is less than ideal, considering your personal data was swiped and now you have to hand it over again. But I’m not here to debate that issue. I was told that you must provide this information because ID Experts does not have access to that data, and the company needs it to validate your identity and ensure you are who you say you are.
You will also be asked to create an online account. That way, ID Experts can notify you if your identity is stolen and misused. Any alerts you receive through your myIDcare account will instruct you to log into your account and will never include sensitive information.
As of now, coverage will run for three years, until December 31, 2018. ID Experts will provide a notification at least 30 days before the coverage ends. At that time, you can decide whether to end or extend the services.
Enrolling via phone. The wait times can be brutal on the phone, depending on what time you call. ID Experts has extended its phone service hours to 24×7 to ease the high call volume. If you do have questions, you will need to have your PIN code handy (those numbers are at the top of your letter from OPM) and the last four digits of your Social Security number before you are transferred to a representative.
If you have any additional tips to share, please include them in the comments section below!
I signed up for IDCare about two weeks ago and received an alert email last week. When I logged into their website I could not find any alert information. However now they are asking for bank account and routing numbers and credit card numbers. I don’t know if providing this information will allow more complete monitoring, or open the door to a lot more risk. How safe is this ID company?
Hi Michael, I suggest calling the ID company directly.
Thank you for providing information on coverage for spouse/co-habitant. I couldn’t find anything on this subject, including the OPM site, until I discovered your article.
Hi Glenn, thank you for the feedback. I’m glad the information was helpful.
What is my 6 digit pincode?? I thought I was done, then it wanted my 6 digit pincode. It can’t be the 24-digit pin number or my password, which is not 6 digits. I tried calling 800-750-3004 but it wasn’t taking calls, and I could find no information on your website so I’m stuck! Help!!!
Once I created my account they sent the 6 digit pin to the email I gave them. I believe there were also an option to get a text msg with the pin.
When you go to enroll, you find you must agree that IDE is not required to supply any services and that IDE can stop doing whatever it is they might elect to do, and can terminate at any time for “any reason or no reason.” And there’s worse. Really, someone should read the IDE one-sided oppressive boilerplate. Think they are Just kidding? Then why clearly write it down and say you must agree in order to enroll? 130,000,000 for this? Someone wins.