The last of the letters from the U.S. Office of Personnel Management, or OPM, to the 21.5 million victims of a recent massive government data breach were sent last week. The letters provide information about the identity theft protection services offered to the victims along with instructions for signing up for those services.
A number of people who have received these letters have been concerned they are fake. Is this just an opportunity for thieves to lure people into providing personal information? The letters are real, but the fear that someone will try to scam people is real. It’s important to note there haven’t been any confirmed reports of data theft — yet.
But let’s go back to the beginning. Here’s what happened: Chinese hackers are believed to have infiltrated OPM databases in spring 2014; the hack wasn’t discovered until April 2015.
The hackers gained access to Social Security numbers, employment history and fingerprints of millions of former, current and prospective federal employees and their family members. Just this month, China announced it had arrested a number of suspected hackers and that they will be prosecuted.
About those letters
As for the letters, it’s important to remember the official notice was sent only by regular mail. No email notices have been or will be sent, so if you get an email that purports to be from the OPM, it is a scam.
The federal government has chosen Identity Theft Guard Solutions as the company to provide 3 years of free identity protection to victims. In the notification letter, you are urged to go to OPM’s website to enroll in the monitoring program; the letter includes a PIN to use in order to enroll.
During the enrollment process, you will be asked for your full Social Security number. This is necessary because the OPM provided the ID protection firm with only the PINs and last 4 digits of the Social Security numbers of the victims.
How could thieves attack?
Bad guys looking to steal information could copy the letter and change the website address where people are directed to enroll. The thieves instead would direct people to a phony OPM website where they would be prompted to provide personal information purportedly to enroll in the program. If you provide personal information to these scammers, you could end up a victim of identity theft.
Here is a link to the official website for enrolling in the credit monitoring services being offered by the OPM: https://www.opm.gov/cybersecurity/#Services. At this initial stage you will be prompted to input your PIN and only the last 4 digits of your Social Security number. You also can call the OPM at (866) 408-4555 if you have questions.
Remember, no identity theft protection company can prevent you from becoming a victim of identity theft. The best it can do is alert you sooner that your data has been stolen.
The best step you can take to protect yourself from identity theft is to put a credit freeze on your credit report. With a credit freeze, even if someone has your personal information including your Social Security number, they cannot access your credit report for purposes of gaining credit or loans in your name.
Steve Weisman is a lawyer, a professor at Bentley University in Waltham, Massachusetts, author of “Identity Theft Alert” and editor of the blog Scamicide.com.