Hackers got 5.6 million fingerprint files, OPM admits
Already the biggest government hack in US history, the data breach at the Office of Personnel Management keeps getting worse. The agency just admitted the hackers gained access to 5.6 million fingerprint records, five times more than originally thought.
“Of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million,” the OPM admitted on Wednesday.
This has potentially disastrous ramifications for the individuals affected, since there is no way to change fingerprints once they have been compromised, unlike other personal information stolen in the breach.
The obvious downside of biometrics for security: can't change your fingerprints (easily) if credentials are stolen http://t.co/1CvIJraECN— Bryan Yeager (@bryanyeager) September 23, 2015
Citing federal experts, the agency cautioned that the opportunities to abuse the captured data are currently “limited,” but that this “could change over time as technology evolves.”
“If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach,” the OPM said.
#cybersecurity OPM data breach's big question: What's fingerprint data worth in future cyber attacks? http://t.co/g9eYdMCvpR#infosec— Digital Forensics (@CyberExaminer) September 23, 2015
While US officials have blamed China for the hack, Beijing rejects all such allegations.
"China is a strong defender of cybersecurity. China is also a victim of hacking attacks. The Chinese government will not, in any way, participate, encourage or support the theft of commercial secrets by anyone,” Chinese president Xi Jinping said in Seattle on Tuesday, on the first stop of his US visit. He is expected in Washington, DC on Thursday, for talks with US president Barack Obama.
Full text: China President Xi gives policy speech in Seattle, pledges to fight cybercrime http://t.co/033B9Ip8S0pic.twitter.com/OIPoXyZLLV— GeekWire (@geekwire) September 23, 2015
The OPM breach took place in December 2014, but was only discovered in April this year, and not revealed to the media until June. In the initial statement, the agency said up to four million federal employees might have been affected. By July, however, a second breach was discovered and that number was revised to 21.5 million current and former federal employees and their dependents.
As part of the second breach, the intruders stole the entire federal database of Standard Form 86. The 127-page form is part of a background check to gain a security clearance. It contains highly personal information about the applicant, including possible drug and alcohol abuses, financial and criminal history.
Second OPM hack puts 21.5 million people at risk http://t.co/mXnMb4DtZ0pic.twitter.com/cgURdFiGWe— RT America (@RT_America) July 10, 2015
The latest revelation, made while the media attention was riveted on the visit by Pope Francis I to Washington, has infuriated critics of the government’s handling of the breach.
“Today's blatant news dump is the clearest sign yet that the administration still acts like the OPM hack is a PR crisis instead of a national security threat," Senator Ben Sasse, a Nebraska Republican, said in a statement on Wednesday.
Following the initial reports of the breach in June, the American Federal of Government Employees (AFGE) called the scandal an “an abysmal failure on the part of the agency to guard data that has been entrusted to it by the federal workforce.” The union represents almost 700,000 federal workers.
READ MORE: OPM director resigns over hacks that exposed 21.5 million people’s data
OPM Director Katherine Archuleta resigned from her post on July 10, following the reports of a second breach. She was replaced by Deputy Director Beth Cobert.
The Department of Defense has awarded a $133 million contract to an identity theft protection company, to monitor the hacked data and provide services to the compromised individuals. The DoD also said it would start sending out notices to the individuals affected by the end of September, almost four months since the breach was announced. The notification process is expected to take until November 2015 – almost a year since the hack actually happened.