Government: 5.6M Fingerprints Stolen in U.S. Personnel Data Hack

24 Sep 2015 | Author: | No comments yet »

5.6 million fingerprints hacked: Cyber attack on US Office of Personnel Management 5 times worse than previously thought.

One of the scariest parts of the massive cybersecurity breaches at the Office of Personnel Management just got worse: The agency now says 5.6 million people’s fingerprints were stolen as part of the hacks. WASHINGTON (Reuters) – Hackers who stole security clearance data on millions of Defense Department and other U.S. government employees got away with about 5.6 million fingerprint records, some 4.5 million more than initially reported, the government said on Wednesday. However, OPM said Wednesday the total number of those believed to be caught up in the breaches, which included the theft of the Social Security numbers and addresses of more than 21 million former and current government employees, remains the same. US intelligence agencies have blamed China for the hacking against the office, which is the main custodian of the government’s most important personnel records, but it is unclear what group or organization engineered it.

The agency was the victim of what the U.S. believes was a Chinese espionage operation that affected an estimated 21.5 million current and former federal employees or job applicants. Before Wednesday, the agency had said it lost 1.1 million sets of fingerprints among the roughly 22 million individuals whose records were compromised. “Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” the agency said in a statement. But clearly the uses are growing as biometrics are used more frequently to assure identity, in secure government facilities and even on personal iPhones. So those affected by this breach may find themselves grappling with the fallout for years. “The fact that the number [of fingerprints breached] just increased by a factor of five is pretty mind-boggling,” said Joseph Lorenzo Hall, the chief technologist at the centre for Democracy & Technology. Investigators have assumed that China is building a huge database of information about US officials or contractors who may end up entering China or doing business with it.

The White House has said it’s going to discuss cybersecurity with Chinese President Xi Jinping when he visits President Barack Obama later this week. (TM and Copyright 2015 CBS Radio Inc. and its relevant subsidiaries. As fingerprints increasingly replace passwords as a day-to-day security measure for unlocking your iPhone or even your home, security experts have grown concerned about how hackers might leverage them. But federal experts believe the potential for “misuse” of the stolen fingerprints is currently limited, according to OPM, but that could “could change over time as technology evolves.” It also said an interagency working group including experts from law enforcement and the intelligence community will review ways that the fingerprint data could be abused and try to develop ways to prevent that from happening. “If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach,” OPM said.

The United States has told China that industrial espionage in cyberspace by its government or proxies is “an act of aggression that has to stop,” Obama said recently. U.S. officials have said no evidence has surfaced yet suggesting the stolen data has been abused, though they fear the theft could present counterintelligence problems. Any intelligence officer whose prints have been taken would face great risk in operating under an alias because those prints would give away someone’s true identity. Other data on the forms that were obtained, about matters as varied as bankruptcies and personal and sexual relationships, could be used for blackmail. OPM spokesman Samuel Schumach said in the statement that the agency identified the “additional fingerprint data not previously analyzed” while working with the Department of Defense.

Lawmakers have harshly criticized the personnel agency’s handling of the data breach and its aftermath — and its habit of periodically revising upward the amount of information that was lost. Mike Rogers, the director of the Pentagon’s National Security Agency, has said his agency was brought in to help. “Today’s blatant news dump is the clearest sign yet that the administration still acts like the OPM hack is a PR crisis instead of a national security threat,” said Republican Sen. Government officials have not been able to explain publicly why it took more than a year to discover that information was leaving its systems at a tremendous rate. In response, Schumach said the agency only “very recently” learned of the new fingerprint data, and confirmed the final number on Wednesday morning. Rogers, said it had seen no evidence that the data lifted from the personnel agency had been used for any financial purpose, such as gaining access to bank accounts or credit cards.

While in Washington, Xi and Obama are expected to announce, at a minimum, that they are working together on new rules governing cyberspace that would amount to a first effort at a digital arms-control agreement. The stolen records included detailed biographical forms that federal employees must fill out to obtain security clearances, and they would have provided identifying information about friends and family in the U.S. and overseas. That kind of information would give the Chinese vast new opportunities to target people for recruitment, a process that can take years of intelligence-gathering. It also could allow the Chinese to pinpoint American intelligence officers abroad, given that CIA case officers are not in the database unless they held a previous government job.

And testifying to Congress alongside Rogers recently, he pushed back at lawmakers who called the breach at OPM an “attack.’’ Instead, he suggested, it was ordinary espionage. Hackers did not just get the data on federal employees, but also on job applicants, contractors, and many others who have been subjected to government background checks. “It was so big,” one senior intelligence official said, “that we have to ask the question of whether the scope of it changed the nature of the theft.” Although Obama has hinted at sanctions against China, largely for intellectual property theft, the administration has decided to put off the decision until Xi’s visit is complete.

Our partners
Follow us
Contact us
Our contacts

About this site