The Office of Personnel Management confirmed on Wednesday that more than 5.6 million people’s fingerprints were stolen as part of the originally reported data hack. OPM said Wednesday the total number of those believed to be caught up in the breaches, which included the theft of the Social Security numbers and addresses of more than 21 million former and current government employees, remains the same.
OPM and the Defense Department were reviewing the theft of the background investigation records when they identified fingerprint data that had been exposed. Breaches involving biometric data like fingerprints are particularly concerning to privacy experts because of their permanence: Unlike passwords and even Social Security numbers, fingerprints cannot be changed. So those affected by this breach may find themselves grappling with the fallout for years. Members of Congress have become upset of the latest development. “OPM keeps getting it wrong,” said Rep. Jason Chaffetz. “I have zero confidence in OPM’s competence and ability to manage this crisis.”
White House spokesman Josh Earnest said Wednesday that he did not have any further details on who is responsible for the breach, but privately, U.S. officials have pointed to China. Chinese President Xi Jinping will meet with President Obama later this week, and cybercrimes are expected to be a major topic of their discussions. The U.S. has warned China that economic sanctions may be imposed if the cyberbreaches continue. In response to the OPM hack, the U.S. has offered limited credit monitoring and ID theft protection to those whose records were stolen.
Officials worry the fingerprint data could possibly be used to identify intelligence agents, though they have not seen any evidence of that so far. In a statement, OPM said federal experts believe that “as of now the ability to misuse fingerprint data is limited. However this probability could change over time as technology evolves.” OPM posted its statement on their website admitting to the discovery of stolen fingerprints.
As part of the government’s ongoing work to notify individuals affected by the theft of background investigation records, the Office of Personnel Management and the Department of Defense have been analyzing impacted data to verify its quality and completeness,” “During that process, OPM and [the Department of Defense] identified archived records containing additional fingerprint data not previously analyzed. Of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million.”
The increased number of stolen fingerprints represents only the latest in a series of calamitous revelations from OPM about the hacker intrusion that led to the resignation of the agency’s director Katherine Archuleta in July. Aside from the 21.5 million social security numbers taken by attackers and the newly confessed 5.6 million fingerprints, the agency has also confirmed that hackers gained access to many victims’ SF-86 forms, security clearance questionnaires that include highly personal information such as previous drug use or extramarital affairs that could be used for blackmail.
The American people have no reason to believe that they’ve heard the full story and every reason to believe that Washington assumes they are too stupid or preoccupied to care about cyber security,” Senator Ben Sasse wrote today in an email.
As fingerprints increasingly replace passwords as a day-to-day security measure for unlocking your iPhone or even your home, security experts have grown concerned about how hackers might leverage them.