Skip to page navigation
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

OPM.gov / Cybersecurity Resource Center / Frequently Asked Questions

FAQs

This section of the website will be updated with answers to questions that you have about these incidents and the notification process.

  • What happened
  • About the impacted information
  • Who has been impacted
  • Getting notified if your data was compromised
  • Protecting your identity
  • What happened during the OPM cybersecurity incidents announced in 2015? How many people were affected?
    • In 2015, OPM announced malicious cyber activity on its network and identified two separate but related cybersecurity incidents which had impacted the data of approximately 22.1 million Federal government employees, contractors, and others. First, OPM discovered malicious cyber activity on its network resulting in the exposure of the personnel data of approximately 4.2 million current and former Federal government employees. Second, OPM discovered malicious cyber activity on its network resulting in the exposure of the background investigation records of approximately 21.5 million individuals, primarily current, former, and prospective Federal employees and contractors. Approximately 600,000 individuals were impacted solely by the personnel records incident. This means approximately 3.6 million individuals were impacted by both the personnel records incident and the background investigation records incident.

  • Who responded to these incidents?
    • OPM partnered with the U.S. Department of Homeland Security's Computer Emergency Readiness Team (US-CERT), and the Federal Bureau of Investigation (FBI) to investigate and determine the potential impact of this incident.

  • What was included in a background investigation file?
    • In general, background investigation forms collect personal information, including Social Security numbers (SSN), of people occupying, or seeking to occupy, positions with the Federal government. This information is used to:

      • Check criminal histories
      • Validate education histories
      • Validate employment histories
      • Validate living addresses; and
      • Gain insight into the character and conduct of background investigation applicants through reference checks.

      In addition, some people occupying public trust or national security positions provide additional types of information that may include:

      • Personal information of a spouse or a cohabitant (including SSNs)
      • Personal information of parents, siblings, other relatives, and close friends (but does not include SSNs)
      • Foreign countries visited and individuals the applicant may know in those countries
      • Current or previous treatment for mental health issues
      • Use of illegal drugs; and
      • Previous places a background investigation applicant may have lived, worked, or attended school.

      Some records also include findings from interviews conducted by background investigators. If your fingerprint data were compromised, your notification letter will contain this information. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also compromised.

      Note: While background investigation records may contain some information regarding mental health and financial history provided by applicants and sources contacted during the background investigation, there is no evidence that separate systems which store information regarding the health, financial, payroll and retirement records of Federal personnel were impacted by this incident (for example, annuity rolls, retirement records, USA JOBS, Employee Express).

  • What is a background investigation?
    • The U.S. Government conducts background investigations to assist agencies in determining whether individuals are trustworthy, reliable, and of good conduct and character for positions with the Federal Government.

      The U.S. Government conducts investigations of certain individuals who will occupy positions which could impact national security, including positions requiring access to classified national security information. The amount of information requested depends on the risk to the public trust, the impact on the national security, and whether an individual has a job which requires access to classified national security information. To see the different forms, select the corresponding forms: SF-86 (PDF file), SF-85 (PDF file), or SF-85P (PDF file).

      In general, background investigation forms collect personal information, including Social Security numbers (SSN), of people occupying, or seeking to occupy, positions with the Federal government. This information is used to:

      • Check criminal histories
      • Validate education histories
      • Validate employment histories
      • Validate living addresses; and
      • Gain insight into the character and conduct of background investigation applicants through reference checks.

      In addition, some people occupying public trust or national security positions provide additional types of information which may include:

      • Personal information of a spouse or a cohabitant (including SSNs)
      • Personal information of parents, siblings, other relatives, and close friends (but does not include SSNs)
      • Foreign countries visited and individuals the applicant may know in those countries
      • Current or previous treatment for mental health issues
      • Use of illegal drugs; and
      • Previous places a background investigation applicant may have lived, worked, or attended school.

      For public trust and national security investigations, other information may be collected related to parents, siblings, other relatives, close friends, and previous places a background investigation applicant may have lived, worked, or attended school. This information is used to interview employers, friends, and neighbors about the applicant, his or her conduct, and personal history, and to conduct local law enforcement checks at previous locations lived.

  • Was I impacted by the 2015 background investigation records incident?
    • The Social Security numbers of approximately 21.5 million individuals were impacted by the 2015 background investigation records incident. This includes approximately 19.7 million individuals who applied for background investigations and 1.8 million non-applicants (predominantly spouses or cohabitants of applicants).

      If you underwent a background investigation through OPM in the year 2000 or afterwards (which occurs through the submission of forms SF-86, SF-85, or SF-85P for a new investigation or periodic reinvestigation), it is highly likely that you were impacted by this cyber incident. If you underwent a background investigation prior to the year 2000, you may be impacted, but it is less likely. If you are one of the following, you may have been impacted:

      • Current or former Federal government employee;
      • Member of the Military, or Veteran;
      • Current or former Federal contractor;
      • Job candidate required to complete a background investigation before your start date; or
      • Spouse or cohabitant of a member of any of the above groups.

      Those who were impacted were sent a notification letter. If you did not receive a notification letter, but believe your data may have been impacted, you may contact the Verification Center.

  • Who else in my family or other networks was impacted by the 2015 background investigation records incident? How can I determine who these people are?
    • When you submitted your background investigation form, you likely provided the name, address, date of birth, or other similar information of close contacts. These individuals could include immediate family members, co-habitants, or other close contacts.

      In many cases, the information about these individuals is the same as information generally available in public forums, such as online directories or social media, and therefore the compromise of this information generally does not present the same level of risk of identity theft or other issues. However, if the Social Security number of any of these individuals was included in the cyber incident, the individual should have received a separate notification letter from OPM.

      If you did not receive a notification letter, but believe your data may have been impacted, you may contact the Verification Center.

  • How many people were impacted by the 2015 personnel records incident?
    • Approximately 4.2 million current or former Federal employees were impacted by the incident involving personnel records. Contractor employees were not impacted, unless they were also current or former Federal employees.

      Approximately 600,000 individuals were impacted solely by the personnel records incident. This means approximately 3.6 million individuals were impacted by both the personnel records incident and the background investigation records incident.

      Those who were impacted were sent a notification letter. If you did not receive a notification letter, but believe your data may have been impacted, you may contact the Verification Center.

  • Were Federal retirees impacted?
    • If you underwent a background investigation in the year 2000 or afterwards (which occurs through the submission of forms SF-86, SF-85, or SF-85P), it is highly likely that you were impacted by the 2015 background investigation records incident. This could include Federal retirees. Individuals who submitted this information prior to the year 2000 may be impacted, but it is less likely. Former federal employees who have since retired also may have been impacted by the separate, but related, 2015 personnel records incident.

      Those who were impacted were sent a notification letter. If you did not receive a notification letter, but believe your data may have been impacted, you may contact the Verification Center.

  • What if I believe I was impacted, but I haven’t received a notification letter or PIN?
    • OPM has partnered with the Department of Defense to establish a Verification Center to assist individuals who have either lost their 25-digit PIN code or who believe their data may have been impacted by the 2015 cyber incidents, but have not received a notification letter.

      If you contact the Verification Center and we determine that your Social Security number and other personal information were impacted by the 2015 cyber incidents, you will receive a letter which will provide your PIN code and give you enrollment instructions. After we have compared the identity data you provided with the data in our records, if we conclude your Social Security number was not compromised in the incidents, you will receive a letter with that information. This letter may take up to four weeks to arrive by mail. If you submit your information more than once during a six-week period, this may cause a delay in receiving a letter.

      You may access the Verification Center at https://opmverify.dmdc.osd.mil/. For those needing assistance with submitting your information, you may call the Verification Center at 866-408-4555 Monday through Saturday, between 9:00 a.m. and 9:00 p.m. Eastern Time.

  • Was my spouse/partner/family member impacted by the 2015 cyber incidents?
    • Spouses, partners and family members were not impacted by the 2015 personnel records incident, unless they were also current or former Federal employees.

      They may have been impacted by the 2015 background investigation records incident. Some background investigation forms ask for the Social Security number (SSN) of your spouse or cohabitant. If that is the case, your spouse or co-habitant also received a notification and will be able to sign up for services. SSNs were not required for all spouses or cohabitants on other forms. In all other cases, SSNs were not required for other family members. Information you may have provided about other family members includes name, address, date of birth, or other similar information, which may have been listed on a background form. In many cases, this information is the same as what is generally available in public forums such as online directories or social media and, therefore, generally does not present the same level of risk of identity theft or other issues as with a Social Security number.

      Those who were impacted were sent a notification letter. If you did not receive a notification letter, but believe your data may have been impacted, you may contact the Verification Center.

  • When did OPM send notification letters?
    • Initial notification letters were mailed to those impacted by the cybersecurity incidents in 2015. About 10 percent of the letters intended to reach those impacted by the background investigation records incident were returned because people had moved, the letters were incorrectly addressed, or other factors. Subsequently, in the summer of 2016, OPM was able to resend certain letters which were previously returned as undeliverable, after making an effort to obtain updated address information. Each letter which was resent clearly state at the top of the letter that it is a duplicate of the letter previously sent, but not successfully delivered. In November and early December of 2016, OPM also mailed notification letters about the service provider change to those who were impacted only by the personnel records incident.

      OPM has partnered with the Department of Defense to establish a Verification Center to assist individuals who believe that their data may be impacted but have not received a notification letter.

  • What is the Verification Center?
    • The Federal Government set up a Verification Center to assist individuals who believe their data may have been impacted by the 2015 cyber incidents, but who have not received a letter. The Verification Center will also assist individuals who received a letter notifying them that their data had been impacted by the cyber incidents, but who have lost the PIN code included in that letter and who would like to have a copy of their letter resent. The PIN code is needed to register for services.

  • What kind of information will I need to provide the Verification Center?
    • You will be asked for information such as your name, address, Social Security number, and date of birth. You will also be asked for an email address in case the Verification Center needs to contact you. This information will be used to determine whether your data were impacted by the cyber incident involving background investigation records.

  • My browser is having trouble connecting with the Verification Center.
    • The Verification Center works with the latest versions of Internet Explorer, Google Chrome, and Mozilla Firefox web browsers. If your preferred browser is not working with the Verification Center, first try using a different browser; then try clearing your cache.

      If you are having difficulty accessing the Verification Center from a workplace network, please contact your office’s IT team to troubleshoot the matter.

  • Why does it take up to four weeks to receive my notice from the Government?
    • The Government estimates that each individual submitting a verification request to determine if his/her data were impacted by the 2015 cyber incidents will receive a reply within approximately four weeks of submitting his/her request. The four week period is an estimate, which may vary based on the quantity of requests received. The identity confirmation process used by the Verification Center has been developed to protect an individual’s personal information. In order to protect personal information, after an individual submits his/her information, it will be matched against the information within a separate government database. The Government will print and mail notification letters via the U.S. Postal Service. If you submit your information more than once during a six-week period, this may cause a delay in receiving a letter.

  • Why do I need a 25-digit enrollment PIN code?
    • The government has not provided any personally identifiable information to the service provider which is providing identity theft protection and credit monitoring services for the 2015 cyber incidents. Each notification letter for impacted individuals contains a 25-digit PIN code. This PIN code is used in conjunction with the last four digits of your Social Security number to validate an impacted individual’s eligibility to receive government-provided identity protection services.

      Please know the Government does not anticipate the unique 25-digit PIN code provided to each impacted individual will change over the life of the Congressional mandate. This means the 25-digit PIN code will stay the same, regardless of whether there is a change in the service provider in the future. Therefore, you will be able to use the 25-digit PIN code you were provided previously to enroll with a new service provider in the event there is a change in the service provider in the future.

  • Will my 25-digit enrollment PIN code ever change?
    • In accordance with the Consolidated Appropriations Act of 2017, Public Law No. 115-31, OPM will continue to facilitate the provision of identity theft coverage to individuals impacted by the 2015 cyber incidents for a period of not less than 10 years and which includes not less than $5 million in identity theft insurance. The extended services will cover individuals through Fiscal Year 2026.

      Please know the Government does not anticipate the unique 25-digit PIN code provided to each impacted individual will change over the life of the Congressional mandate. This means the 25-digit PIN code will stay the same, regardless of whether there is a change in the service provider in the future. Therefore, you will be able to use the 25-digit PIN code you were provided previously to enroll with a new service provider in the event there is a change in the service provider in the future.

  • After I enroll in services, should I keep or destroy my letter?
    • In accordance with the Consolidated Appropriations Act of 2017, Public Law No. 115-31, OPM will continue to facilitate the provision of identity theft coverage to individuals impacted by the 2015 cyber incidents for a period of not less than 10 years and which includes not less than $5 million in identity theft insurance. The extended services will cover individuals through Fiscal Year 2026.

      The decision whether to keep or destroy your letter is entirely up to you. However, please know the Government does not anticipate the unique 25-digit PIN code provided to each impacted individual will change over the life of the Congressional mandate. This means the 25-digit PIN code will stay the same, regardless of whether there is a change in the service provider in the future. Therefore, you will be able to use the 25-digit PIN code you were provided previously to enroll with a new service provider in the event there is a change in the service provider in the future.

  • I need my notification letter with PIN code sent to a different address. What can I do?
    • If you believe your data were impacted by the 2015 cyber incidents, but have not received a notification letter, you can contact the Verification Center to provide your current address where your letter will be mailed. Please note that your address will not be updated in any other government database.

  • The Verification Center website is telling me "There are errors on the form." What should I do?
    • The Federal Government has set up a Verification Center to assist individuals who believe their data were impacted by the 2015 cyber incidents. If there are asterisks next to the line in which you are entering your information, then there is an error with the information you are entering. Errors typically occur because of incorrect formatting or characters which are not allowed in that field as specified on the form. As you type your information, a message will appear if you make a formatting error. This message will provide you with guidance on the proper format for that line. You will not be able to submit your information until that line is fixed.

      If you are still having difficulty submitting your information online, you can contact the call center at 866-408-4555 Monday through Saturday, between 9:00 a.m. and 9:00 p.m. Eastern Time.

  • Why can’t I find out my PIN code when I enter my information on the Verification Center website?
    • Once you provide your name, address, Social Security number, and date of birth, your information must be checked against the government’s database to determine whether your Social Security number was included in the 2015 cyber incidents. To provide additional security, the data used to determine whether your data were impacted is stored in another system which is not accessible from the Internet. This offline database check process was designed to protect your personal information.

  • Why can’t the agent on the phone tell me if I am impacted, or the address you have for me?
    • Once you provide your name, address, Social Security number, and date of birth, your information must be checked against the government’s database to determine whether your Social Security number was included in the 2015 cyber incidents. For security and privacy purposes, the call center agents do not have access to this database. Call center agents assist individuals who need help entering their personal information into the system. After submitting your information, your response letter may take up to four weeks to arrive through the mail. If you submit your information more than once during a six-week period, this may cause a delay in receiving a letter.

  • How do I enroll in credit monitoring and identity protection services?
    • If you have already received your letter and 25-digit PIN code, you can go to the Cybersecurity Resource Center and select the “Enroll with the Service Provider” button. If you would prefer to enroll in services with a call center agent, please call 800-750-3004 Monday through Saturday, between 9:00 a.m. and 9:00 p.m. Eastern Time.

  • I have a post-enrollment question.
    • If you have already enrolled and have questions or concerns about your post-enrollment services, you may call 800-750-3004 Monday through Saturday, between 9:00 a.m. and 9:00 p.m. Eastern Time.

  • What are my options if my information was not compromised? I don’t feel safe.
    • The Federal Government still recommends you remain vigilant about protecting your identity and monitoring your credit even if we have concluded your Social Security number was not impacted in the 2015 cyber incidents. There are several on-line resources available to assist you in protecting yourself:

      • For information about ways to protect yourself from identity theft, visit the Federal Trade Commission’s Identity Theft website.
      • For information about how to recover from identity theft, visit the Federal Government’s one-stop resource for identity theft victims at IdentityTheft.gov.
      • For information about what the Department of Justice is doing to stop identity theft fraud, visit the Department’s website.

  • I received a letter notifying me that I was impacted by the 2015 cyber incidents, but my PIN code doesn’t work. What should I do?
    • You should be able to sign up for services by selecting the link on the OPM Cybersecurity Resource Center website. To enroll in services, you will need to enter your 25-digit PIN code when prompted. Please note that the 25-digit PIN code is broken up into five boxes within the notification letter in order to make it easier to read. The PIN code includes only numbers and does not include any letters or special characters.

      If your PIN code does not work at first, please attempt to carefully re-enter it to ensure that it is not being mistyped. If your PIN code still does not work, please contact the Verification Center.

  • My letter was addressed using my initials, a nickname, a previous address, etc. Why?
    • The Government has attempted to locate the best address for individuals impacted by the 2015 cyber incidents. Due to the nature of this data in our systems, unfortunately some letters have been mailed with old addresses or names.

      If you believe you are the intended recipient of the letter, you may enroll using the provided 25-digit PIN code in conjunction with the last four digits of your Social Security number. To access the webpage to enroll in services, please visit the OPM Cyber Security Resource Center at https://www.opm.gov/cybersecurity and select the "Enroll with Service Provider" link. If you believe your data may have been impacted by the cyber incidents but do not believe the letter you received was intended for you, please visit the Verification Center. Through the Verification Center, you may verify if you were impacted. Your response letter may take up to four weeks to arrive through the mail. If you submit your information more than once during a six-week period, this may cause a delay in receiving a letter.

      You may access the Verification Center at https://opmverify.dmdc.osd.mil/. For those needing assistance with submitting your information, you may call the Verification Center at 866-408-4555 Monday through Saturday, between 9:00 a.m. and 9:00 p.m. Eastern Time.

  • Who is the service provider for the 2015 cybersecurity incidents?
    • OPM has utilized the General Services Administration (GSA) Identity Protection Services (IPS) Multiple Award Blanket Purchase Agreement (BPA) to award a consolidated BPA Call to Identity Theft Guard Solutions, LLC, doing business as ID Experts. ID Experts will continue to provide impacted individuals with a comprehensive suite of identity theft protection and monitoring services.

  • What is MyIDCare?
    • MyIDCare is the brand name of ID Experts’ identity-monitoring product being offered to you if you were impacted by the 2015 cyber incidents.

  • Do individuals impacted by the 2015 cyber incidents need to register for identity protection services?
    • Credit monitoring and identity protection begins immediately upon enrollment. Impacted individuals will be able to enroll themselves and their dependent minor children in credit monitoring and identity monitoring services once they receive their notification and 25-digit PIN code.

      Impacted individuals and their dependent minor children have access to this identity theft insurance and identity restoration coverage at any time during the coverage period without having to enroll in monitoring services; however, to utilize this benefit, you will need to verify that you are eligible to access services with the service provider.

  • When will identity protection services end for individuals impacted by the 2015 cybersecurity incidents?
    • In accordance with the Consolidated Appropriations Act of 2017, Public Law No. 115-31, OPM will continue to facilitate the provision of identity theft coverage to individuals impacted by the 2015 cyber incidents for a period of not less than 10 years and which includes not less than $5 million in identity theft insurance. The extended services will cover individuals through Fiscal Year 2026.

      OPM has utilized the General Services Administration (GSA) Identity Protection Services (IPS) Multiple Award Blanket Purchase Agreement (BPA) to award a consolidated BPA Call to Identity Theft Guard Solutions, LLC, doing business as ID Experts. ID Experts will provide impacted individuals with a comprehensive suite of identity theft protection and monitoring services. The new award, announced in December 2018, has a possible full period of performance of five years.

      This is part of OPM’s continuing efforts to provide coverage to all impacted individuals through FY 2026. OPM will continue to update this website with more information regarding implementing services for the duration of the mandated coverage period as it becomes available.

  • Are “dependent minor children” of individuals impacted in the 2015 cyber security incidents being covered and how are you defining “dependent minor children?”
    • Although the Social Security numbers of children were not requested on background investigation forms, dependent minor children of impacted individuals are also eligible to receive the suite of services. For purposes of coverage, dependent minor children are defined as children of impacted individuals who were under the age of 18 as of July 1, 2015.

  • For individuals impacted by the 2015 cyber incidents, how are you going to work with the service provider to protect our personally identifiable information (PII) data?
    • OPM has utilized the General Services Administration (GSA) Identity Protection Services (IPS) Multiple Award Blanket Purchase Agreement (BPA) to award a consolidated BPA Call to Identity Theft Guard Solutions, LLC, doing business as ID Experts.

      The GSA IPS BPA requirements, including security requirements, were carefully drafted by an inter-agency, inter-disciplinary group of subject matter experts, including security and privacy representatives from the Department of Homeland Security, Department of Defense, Federal Trade Commission, and other agencies. The selected BPA vendors have demonstrated compliance with National Institute for Standards and Technology privacy and other advanced security requirements as outlined in the GSA BPA Award and the BPA Call Performance Work Statement. Additionally, the selected vendors have provided system security plans and will support onsite security inspections by the Government at any location where protected information is collected, stored, or used and will continue to do so.

  • How will I receive my notification for the 2015 cyber incidents if my address has changed?
    • OPM attempted to obtain the best available address for individuals using government and commercial sources. If you believe you may have been impacted but did not receive a letter, we have partnered with the Department of Defense to establish a Verification Center. You can contact the Verification Center to provide your current address where your letter will be mailed. Please note that your address will not be updated in any other government database.

      You may access the Verification Center at https://opmverify.dmdc.osd.mil/. Or, you may call 866-408-4555 Monday through Saturday, between 9:00 a.m. and 9:00 p.m., Eastern Time, and ask to speak to an agent. Your response letter may take up to four weeks to arrive through the U.S. Postal Service to the address you provided on the website or shared with a call center agent. If you submit your information more than once during a six-week period, this may cause a delay in receiving a letter.

      Please note that the service provider can enroll individuals with a PIN code, but for security and privacy purposes, the service provider cannot verify whether or not an individual’s data may have been impacted or enroll individuals without a PIN.

  • Why are you not providing services to family members who are on the background investigation form?
    • In many cases, the information about these individuals is the same as what is generally available in public forums such as online directories or social media, and therefore generally does not present the same level of risk of identity theft or other issues. However, if your family member’s Social Security number was included in the compromised data, that individual should have received a separate notification letter and PIN code.

  • If I receive a communication from someone representing themselves as a government agent of some kind, how should I react?
    • You will not receive an unsolicited phone call from OPM or the identity protection and credit monitoring service providers. If you are contacted by anyone asking for your personal information in relation to this incident, do not provide it. However, we may reach out to a specific individual in response to a specific inquiry received from the individual or someone acting on his/her behalf.

  • I lost my notification about the 2015 cyber incidents.
    • OPM has partnered with the Department of Defense to establish a Verification Center to assist individuals who have either lost their 25-digit PIN code, or who believe their data may be impacted by the 2015 cyber incidents, but have not received a notification letter.

      If you contact the Verification Center and we determine that your Social Security number and other personal information were impacted by the 2015 cyber incidents, you will receive a letter which will provide your PIN code and give you enrollment instructions. After we have compared the identity data you provided with the data in our records, if we conclude your Social Security number was not compromised in the incidents, you will receive a letter with that information. This letter may take up to four weeks to arrive by mail. If you submit your information more than once during a six-week period, this may cause a delay in receiving a letter.

      You may access the Verification Center at https://opmverify.dmdc.osd.mil/. For those needing assistance in entering your information, you may call the Verification Center call center at 866-408-4555 Monday through Saturday, between 9:00 a.m. and 9:00p.m. Eastern Time.

  • How will I know if my fingerprint information was impacted?
    • Of the approximately 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the 2015 background investigation records incident, the subset of individuals whose fingerprints were included is approximately 5.6 million. If OPM determined your fingerprint data were likely included in the cyber incident, your notification letter will include this information.

  • I’ve never worked for the Government. Why did I receive a letter?
    • Some individuals who never worked for the Government were impacted by the 2015 cyber incidents, including spouses or co-habitants of applicants, contractors, and certain other individuals who submitted information to the Government in connection with a background check.

      The Federal Government has set up a Verification Center to assist individuals who believe their data were impacted by the 2015 cyber incidents. You may access the Verification Center at https://opmverify.dmdc.osd.mil/. For those needing assistance with submitting your information, you may call the Verification Center at 866-408-4555 Monday through Saturday, between 9:00 a.m. and 9:00 p.m. Eastern Time.

  • Why do I have to give personal information upon enrollment? Don’t you already have my personal information?
    • The government has not provided any personally identifiable information to the service provider. Each notification letter for impacted individuals contains a 25-digit PIN code. This PIN code is used in conjunction with the last four digits of your Social Security number and is needed to validate an impacted individual’s eligibility to receive government-provided identity protection services.

  • Why did My Dependent Minor Child Receive a Letter?
    • If your dependent minor child’s Social Security number was listed on your background investigation form or your dependent minor child filled out a background investigation form for an internship or job, he/she may have been impacted by the 2015 cyber incident involving background investigation records. As a result, he/she would have received a mailed notification letter and 25-digit PIN code. He/she may register for services by selecting the "Enroll with Service Provider" link from the OPM Cyber Security Resource Center or by calling the service provider at 800-750-3004 Monday through Saturday, between 9:00 a.m. and 9:00 p.m. Eastern Time.

  • My dependent child is now an adult and over 18. How does he/she enroll for services?
    • Your dependent child will need to sign up for his/her own coverage on or following his/her 18th birthday and can do so by calling the service provider at 800-750-3004 Monday through Saturday, between 9:00 a.m. and 9:00 p.m. Eastern Time.

      Because most minors may not have sufficient credit history to secure their own credit, they may not have credit authorization questions that they can answer to further verify their identity and access the credit monitoring portion of the product. If this is the case, please call the service provider and an agent can enroll him/her in the non-credit monitoring product. The service provider will provide identity restoration services regardless of whether the individual enrolls in the credit or non-credit monitoring services.

  • What should I do if I cannot answer the enrollment questions?
    • Credit monitoring and identity protection services verify your identity by asking a series of questions generated by a credit reporting bureau that only you should be able to answer. The service provider uses the answers you provide, matching them against answers provided by the credit reporting bureau.

      These questions are generated by the credit reporting bureau and cannot be customized by the website or call center agent, nor does the call center agent have any information pertaining to these questions. If you are unable to successfully answer the enrollment questions, you may need to wait for a period of time and then try the process again. If you encounter ongoing issues, you may call the identity protection and credit monitoring service provider for assistance.

  • Does ID Experts provide a mailed alternative?
    • The most efficient way an impacted individual can access his/her credit monitoring and identity protection and services is through the MyIDCare online web portal, which is accessible 24 hours a day, 7 days a week. However, if you received a notification letter with your 25-digit PIN code, you may request ID Experts provide you with MyIDCare mailed alternative notifications via the U.S. Postal Service. The mailed alternative is offered to you in addition to your online portal access. To enroll in the mailed alternative, please call the service provider at 800-750-3004 and a representative will be able to assist you.

  • Can I enroll if I have a credit freeze with the credit bureaus?
    • Most credit monitoring services verify your identity at enrollment by matching information provided to them by you with information provided by credit bureaus. If you currently have a freeze on your credit report, it is possible that you may not be able to complete the account creation process until the freeze is lifted.

      Experian is the credit bureau ID Experts uses to verify your identity. Therefore, if you have placed freezes on your credit report with the credit bureaus, you need to remove the credit freeze with only Experian in order to enroll for services from ID Experts. Once successfully enrolled, you may choose to refreeze your credit with Experian.

      You may unfreeze, and refreeze, your credit directly with Experian at:

      For more information on credit freeze, please visit the Federal Trade Commission Website.

  • I live overseas. Why do I need a valid U.S. Address to enroll with the service provider?
    • You will need a valid U.S. address to enroll in services because some of the specific services require this information for activation, such as Sex Offender and Change of Address monitoring. If you do not have a current U.S. address, we recommend you use your most recent U.S. address or a relative’s address. Please know the service provider’s system allows for Army Post Office (APO), Diplomatic Post Office (DPO), and Fleet Post Office (FPO) addresses to be entered.

  • I have an APO, DPO, or FPO address. Can I enroll?
    • Yes, the service provider allows for an APO, FPO, or DPO address.

  • Is there a cost to enroll?
    • Services are being provided at no cost to the individual.

  • Can sex offender alerts be ceased?
    • Yes, the sex offender alerts can be ceased. Please call the service provider at 800-750-3004 and a representative will be able to assist you. Please note that the removal of these alerts will take 24 to 48 hours and the removal will not impact the credit monitoring features of your membership. Once you cease the sex offender alerts, it cannot be undone.

  • What if I received a notification letter to enroll with ID Experts? Who is that and how am I impacted?
    • ID Experts is the company providing services to those impacted by the 2015 background investigation and personnel records incidents.

      Individuals impacted by the 2015 cyber incidents should have received their notification along with information about identify theft monitoring and restoration services. You may enroll with the service provider by selecting the "Enroll with Service Provider" link from the OPM Cyber Security Resource Center or by calling the service provider at 800-750-3004 Monday through Saturday, between 9:00 a.m. and 9:00 p.m. Eastern Time. To verify whether you were impacted by this incident, please visit the Verification Center verify if you were impacted, and sign up for services.

  • I previously enrolled in services with ID Experts. Has anything changed with my services since the new BPA Call was awarded?
    • If you previously enrolled with ID Experts (MyIDCare) before December 31, 2018, you will continue to receive government-sponsored coverage from ID Experts at no cost to you. You will also continue to be automatically covered by identity theft restoration and identity theft insurance. When you log in to your MyIDCare account online, you may be asked to review an updated vendor Privacy Policy and Terms and Conditions. You are also entitled to request an updated Tri-Bureau Credit Report. To do so, please call ID Experts at 1-800-750-3004.

      Please note, the Tri-Bureau Credit Report will be generated only once upon your request during the new BPA Call performance period. However, you are entitled to a free credit report from each of the three credit bureaus (Equifax, Experian, and TransUnion) once every 12 months. You can request all three reports at once, or space them out throughout the year. You can request your free credit report by visiting Annual Credit Report at https://www.annualcreditreport.com or by calling 1-877-322-8228.

  • Why am I being asked to sign updated Terms and Conditions to log into my ID Experts MyIDCare account?
    • In accordance with the Consolidated Appropriations Act of 2017, Public Law No. 115-31, OPM is required to continue to provide identity protection services to impacted individuals through Fiscal Year 2026. However, Federal Acquisition Regulations limit the duration of a contract to a period shorter than the mandated period of coverage.

      Therefore, the Government may need to re-compete identity protection services in the future. If another service provider is awarded the follow-on services for the duration of the mandated coverage period, the Government may require a means to notify individuals who have previously enrolled with ID Experts of the service provider change, their 25-digit enrollment PIN, as well as instructions on how to re-enroll with the new service provider.

      By reviewing and signing the updated ID Experts Privacy Policy and Terms and Conditions, you are acknowledging that the personally identifiable information provided during enrollment may be later provided to the Government for the purpose of providing a service provider change notification letter, in the event that the service provider changes prior to the end of the Congressional mandate period.

  • If I previously enrolled with ID Experts, can I get updated credit reports?
    • If you previously enrolled with ID Experts (MyIDCare) before December 31, 2018, a Tri-Bureau credit report was generated upon enrollment. You are also entitled to request an updated Tri-Bureau Credit Report. To do so, please call ID Experts at 1-800-750-3004.

      Please note, the Tri-Bureau Credit Report will be generated only once during the new BPA Call performance period. However, you are entitled to a free credit report from each of the three credit bureaus (Equifax, Experian, and TransUnion) once every 12 months. You can request all three reports at once or space them out throughout the year. You can request your free credit report by visiting Annual Credit Report at https://www.annualcreditreport.com or by calling 1-877-322-8228.

  • What should I do if I am concerned about identity theft?
  • What’s the difference between a credit freeze and a fraud alert, and is there a cost to place a credit freeze?
    • According to the Federal Trade Commission (FTC), a credit freeze, also known as a security freeze, lets you restrict access to your credit report, which in turn makes it more difficult for identity thieves to open new accounts in your name. That’s because most creditors need to see your credit report before they approve a new account. If they can’t see your file, they may not extend the credit.

      A fraud alert allows creditors to get a copy of your credit report as long as they take steps to verify your identity. Fraud alerts may be effective at stopping someone from opening new credit accounts in your name, but they may not prevent the misuse of your existing accounts. A fraud alert is free.

      Previously, depending on where you live, credit bureaus may have charged you to place a credit freeze. However, under the new Economic Growth, Regulatory Relief, and Consumer Protection Act, placing a credit freeze with the credit bureaus is now free. In addition, the new law extends the duration of a fraud alert on a consumer’s credit report from 90 days to one year.

      For more information on credit freeze or fraud alert, please visit the Federal Trade Commission website.

  • What services are being offered to impacted individuals?
    • Individuals whose data were impacted by the 2015 cyber incidents and their dependent minor children are entitled to the following services:

      • Identity monitoring
        Identity monitoring services include monitoring internet and database sources including those pertaining to criminal records, arrest records, bookings, court records, pay day loans, bank accounts, checks, sex offender, change of address, and Social Security number trace. These services are also available to your dependent minor children who were under the age of 18 before July 1, 2015. Please enroll with the service provider to access this service.
      • Credit monitoring
        Credit monitoring services include monitoring credit reports at all three national credit reporting agencies (i.e., Experian, Equifax, and TransUnion). Please enroll with the service provider to access this service.
      • Identity theft restoration services
        If your identity is compromised, representatives from the service provider will work with you to take steps to restore your identity. This includes counseling, investigating, and resolving identity theft issues on your behalf. You and your minor dependent children have access to this benefit at any time during the coverage period without having to enroll in monitoring services; however, to utilize the restoration services, you will need to verify that you are eligible to access services with the service provider.
      • Identity theft insurance
        If your identity is compromised and you would prefer to restore your identity yourself, rather than taking advantage of the free identity theft restoration services being provided to you, up to $5 million in identity theft insurance can help to reimburse you for certain expenses incurred if your identity is stolen. The insurance covers all incidents of identity theft that occur during the coverage period, regardless of the source. It also covers you for expenses incurred by restoring your identity, with no deductible. You and your dependent minor children have access to this benefit at any time during the coverage period without having to enroll in monitoring services; however, to utilize the restoration services, you will need to verify that you are eligible to access services with the service provider.
      • Mailed alternative services
        If you prefer to receive your identity monitoring and credit monitoring alerts through the mail rather than online, you can do so. This mailed alternative is offered in addition to your online portal access. Please enroll with the service provider to access this service.

  • Why have deceased individuals been notified?
    • Please accept our deepest sympathies on the loss of your loved one. A deceased may have been sent a notification letter because we determined his/her information was included in the 2015 cyber incidents. Our goal is to provide the information and tools to protect the deceased individual’s identity and credit, and that of any eligible dependent minor children.

      We are providing a comprehensive suite of identity theft protection and monitoring services. Each year, thieves steal the identities of nearly 2.5 million deceased Americans. To reduce the likelihood of any misuse, we are offering identify theft protection and credit monitoring services for deceased individuals who were impacted. Furthermore, for those impacted by the cyber incidents, we are also offering any deceased individual’s dependent children who were under the age of 18 as of July 1, 2015, identity protection services. These services include identity monitoring, identity theft insurance, and identity restoration services.

  • What should next of kin do when they receive a notification letter?
    • To protect against potential misuse, the deceased and any eligible dependents may be enrolled in the identity theft protection services at the OPM cybersecurity website using the 25-digit PIN code in the notification letter. Other personal information about the deceased, including the last four digits of the individual’s Social Security number, will be necessary to enroll. Please note that the 25-digit PIN code includes only numbers and does not include any letters or special characters.

  • Are dependent minor children of deceased individuals whose data were impacted eligible for identity protection and restoration services?
    • Dependent minor children of deceased individuals whose data were impacted by the 2015 cyber incidents are eligible to receive identity protection and restoration services. The eligible dependent minor children of the deceased may be enrolled in these services at the OPM Cybersecurity Resource Center using the 25-digit PIN code in the notification letter. Other personal information about the deceased, including the last four digits of the individual’s Social Security number, will be necessary to enroll. Please note that the 25- digit PIN code includes only numbers and does not include any letters or special characters.

      For purposes of coverage, dependent minor children are defined as children of impacted individuals who were under the age of 18 as of July 1, 2015, even if they were not listed on the form. If individuals have difficulty enrolling in services on-line, please call the service provider at 800-750-3004 Monday through Saturday, between 9:00 a.m. and 9:00 p.m. Eastern Time.

  • How can I further protect my deceased loved one’s identity?
    • Below are a few tips to reduce the risk of having a deceased person’s identity stolen:

      • Send the IRS a copy of the death certificate, which is used to flag the account to reflect that the person is deceased.
      • Send copies of the death certificate to each credit reporting bureau asking them to put a “deceased alert” on the deceased’s credit report. The addresses are:

        Experian
        P.O. Box 4500
        Allen, TX 75013

        Equifax Information Services LLC
        Office of Consumer Affairs
        P.O. Box 105139
        Atlanta, GA 30348

        TransUnion LLC
        P.O. Box 2000
        Chester, PA 19022

      • Review the deceased’s credit report for questionable credit card activity.
      • Avoid putting too much information in an obituary, such as birth date, address, mother’s maiden name or other personally identifying information that could be useful to identity thieves.

      More information to help you guard against identity theft is available on the IRS website. More tips to help protect a deceased person’s identify can also be found on the Identity Theft Center website; please type “deceased” in the search box.

  • What are my options if my information was not compromised? I don’t feel safe.
    • The Federal Government still recommends you remain vigilant about protecting your identity and monitoring your credit even if we have concluded your information was not impacted in the 2015 cyber incidents. There are several on-line resources available to assist you in protecting yourself:

      • For information about ways to protect yourself from identity theft, visit the Federal Trade Commission’s Identity Theft website.
      • For information about how to recover from identity theft, visit the Federal Government’s one-stop resource for identity theft victims at IdentityTheft.gov.
      • For information about what the Department of Justice is doing to stop identity theft fraud, visit the Department’s website.

  • What should I do if I have questions or concerns about my taxes?
    • You should contact the IRS or an independent tax advisor if you have questions related to your taxes.

  • What do I do if I experience suspicious activity related to my identity?
    • As part of the free identity protection services OPM is providing, you have access to services that will assist you, regardless of whether the suspicious or fraudulent activity is connected with the OPM incidents.

  • I received a suspicious call or communication. What can I do?
    • You will not receive an unsolicited phone call from OPM or the identity protection and credit monitoring service providers. However, we may reach out to a specific individual in response to a specific inquiry received from the individual or someone acting on his/her behalf. If you are contacted by anyone asking for your personal information in relation to this incident, do not provide it.

  • What is identity theft insurance? How much identity theft insurance coverage is being provided?
    • Should you wish to take action to restore your identity yourself instead of taking advantage of the free identity theft restoration services being provided to you, identity theft insurance can help to reimburse you for certain expenses incurred if your identity is stolen.

      Identity theft insurance for the 2015 cybersecurity incidents includes all incidents of identity theft that occur during the coverage period, regardless of the source. You are eligible to receive up to $5 million in identity theft insurance with no deductible.

  • I forgot my Username / Email Address or Password for MyIDCare.
    • You may retrieve your password online. To retrieve a username, you will again need to call the call center at the number listed below.

      • Retrieve Password: You may retrieve your password online by clicking “Forgot password” on the login screen at https://opm.myidcare.com/login.
      • Retrieve Username: The system requires each user to have a unique email address. For additional assistance, you may call the service provider at: 800-750-3004.

  • My browser is having trouble connecting with MyIDCare.
    • MyIDCare works with the latest versions of Internet Explorer, Google Chrome, and Mozilla Firefox web browsers. If your preferred browser is not working with MyIDCare, first try using a different browser; then try clearing your cache.

      If you are having difficulty accessing MyIDCare from a workplace network, please contact your office’s IT team to troubleshoot the matter.

  • When my free services expire, will I be automatically re-enrolled or forced to pay for anything?
    • At the end of your membership, it will expire and your membership will end. You will not be charged after your free membership expires, unless you choose to re-enroll on your own.

      OPM has utilized the General Services Administration (GSA) Identity Protection Services (IPS) Multiple Award Blanket Purchase Agreement (BPA) to award a consolidated BPA Call to Identity Theft Guard Solutions, LLC, doing business as ID Experts. ID Experts will provide impacted individuals with a comprehensive suite of identity theft protection and monitoring services. The new award, announced in December 2018, has a possible full period of performance of five years.

      This is part of OPM’s continuing efforts to provide coverage to all impacted individuals through FY 2026. OPM will continue to update this website with more information regarding implementing services for the duration of the mandated coverage period as it becomes available.

  • Does enrolling in credit monitoring impact my credit score?
    • Inquiries for credit monitoring purposes will not affect your credit scores or lending decisions. Such inquiries are not shared with lenders and do not affect your credit scores. They only appear on your credit report when you get it through the credit monitoring service to which you subscribe, or when you request your report directly from the credit reporting company.

  • I think I was impacted by the 2015 OPM cybersecurity incidents and was also impacted by another data breach at a different organization. Will OPM services cover me for identity theft that occurs because of this different data breach?
    • Individuals receiving services OPM is offering through ID Experts are covered for all incidents of identity theft that occur during the period of coverage, regardless of the source.

Have a FAQ that is not included on this page? Please email suggestions for additional FAQs to cybersecurity@opm.gov.

Control Panel