WASHINGTON, D.C. (June 18, 2015) – Through the course of the ongoing investigation into the cyber intrusion that compromised personnel records of current and former Federal employees that was announced June 4, OPM has recently discovered that additional systems were compromised.
These systems included those that contain information related to the background investigations of current, former, and prospective Federal government employees, as well as other individuals for whom a federal background investigation was conducted.
This separate incident – like the one that was announced June 4 affecting personnel information of current and former federal employees – was discovered as a result of OPM’s aggressive efforts to update its cybersecurity posture, adding numerous tools and capabilities to its network.
OPM, the Department of Homeland Security and the FBI are working as part of this ongoing investigation to determine the number of people affected by this separate intrusion. OPM will notify those individuals whose information may have been compromised as soon as practicable. OPM will provide updates when we have more information on how and when these notifications will occur.
OPM remains committed to improving its security capabilities and has invested significant resources in implementing tools to strengthen its security barriers. Additionally, the Office of Management and Budget has instructed federal agencies to immediately take a number of steps to further protect federal information and assets and improve the resilience of federal networks.
For those individuals potentially affected by the incident announced June 4 regarding personnel information, OPM is offering affected individuals credit-monitoring services and identity-theft insurance to mitigate the risk of fraud and identity theft with CSID, a company that specializes in identity-theft protection and fraud resolution. This comprehensive, 18-month membership includes credit report access, credit monitoring, identity theft insurance and recovery services, and is available immediately at no cost to affected individuals identified by OPM. Additional information is available on the company’s website and by calling toll-free 844-777-2743 (International callers: call collect 512-327-0705).
Protecting the integrity of the information OPM maintains is the agency’s highest priority. OPM continually evaluates our IT security protocols to make sure sensitive data is protected to the greatest extent possible, across all networks. Because cybercrime is an evolving and pervasive threat, we are continuously working to identify and mitigate threats when they occur. The following are some key reminders of the seriousness of cyber threats and of the importance of vigilance in protecting our systems and data.
Steps for Monitoring Your Identity and Financial Information
- Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.
- Request a free credit report at www.AnnualCreditReport.com or by calling 1-877-322-8228. Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax, Experian and TransUnion – for a total of three reports every year. Contact information for the credit bureaus can be found on the Federal Trade Commission website.
- Review resources provided on the FTC identity theft website. The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.
- You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name. Simply call TransUnion at 1-800-680-7289 to place this alert. TransUnion will then notify the other two credit bureaus on your behalf.
Precautions to Help You Avoid Becoming a Victim
- Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about you, your employees, your colleagues or any other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
- Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
- Do not send sensitive information over the Internet before checking a website’s security (for more information, see Protecting Your Privacy.
- Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
- If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group.
- Install and maintain anti-virus software, firewalls and email filters to reduce some of this traffic (for more information, see Understanding Firewalls, Understanding Anti-Virus Software and Reducing Spam.
- Take advantage of any anti-phishing features offered by your email client and Web browser.
- Employees should take steps to monitor their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center.
- Additional information about preventive steps by consulting the Federal Trade Commission’s website, www.identitytheft.gov. The FTC also encourages those who discover that their information has been misused to file a complaint with the commission using the contact information below.
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580