Here’s How OPM Is Telling Hacked Feds Their Data Was Stolen

OPM

There are two types of notices: one for the roughly 16 million employees and family members whose Social Security numbers are known to have been compromised and another for the roughly 6 million people whose fingerprints were also copied.

Victims of a data breach that exposed intimate details on national security professionals inside and outside government, along with their families have begun receiving a generic notification letter directing them to a government website for assistance.

But, be forewarned, the site at the Office of Personnel Management, the agency responsible for the data, directs affected individuals to a dot-com web page for entering personal information.

The recently updated OPM site also now displays exactly what these letters look like, apparently to prevent any of the 21.5 million victims from responding to fraudulent letters.

There are two types of notices: one for the roughly 16 million employees and family members whose Social Security numbers are known to have been compromised and another for the roughly 6 million people whose fingerprints were also copied.

The letter contains a PIN that is required to register for three years of ID protection services.

The Defense Department, in coordination with OPM, has propped up the infrastructure to mail the letters, hunt down addresses and let people who think they might have been affected self-check their status.

The letters carry the insignia of OPM on the envelope and letterhead, according to recipients.

The message inside is from acting OPM Director Beth Cobert. It reads, in part:

"If you applied for a position or submitted a background investigation form, the information in our records may include your name, Social Security number, address, date and place of birth, residency, educational, and employment history. personal foreign travel history, information about immediate family as well as business and personal acquaintances, and other information used to conduct and adjudicate your background investigation. If your information was listed on a background investigation form by a spouse, or co-habitant, the information in our records may include your name, Social Security number, address, date and place of birth, and in some cases, your citizenship information."

The message to people whose biometrics were stolen is more specific: "Since you applied for a position or submitted a background investigation form... Our records also indicate your fingerprints were likely compromised during the cyber intrusion."

The hack, which was first disclosed in June, covers individuals who applied for a clearance to handle sensitive information as far back as 2000, according to officials and was purportedly part of a cyber espionage campaign backed by the Chinese government.

Callers to a 1-800 number provided in the letter are encouraged to enroll online rather than over the phone. A recorded message said notification letters are being “continuously mailed out with an estimated completion of mid-November.”

GovExec’s Eric Katz contributed to this report.