Millions more government fingerprints deemed stolen

24 Sep 2015 | Author: | No comments yet »

5.6M people apply for security clearances after fingerprints stolen in data breach.

WASHINGTON — One of the scariest parts of the massive cybersecurity breaches at the Office of Personnel Management just got worse: The agency now says 5.6 million people’s fingerprints were stolen as part of the hacks. US intelligence agencies have blamed China for the hacking against the office, which is the main custodian of the government’s most important personnel records, but it is unclear what group or organization engineered it. The agency was the victim of what the U.S. believes was a Chinese espionage operation that affected an estimated 21.5 million current and former federal employees or job applicants.

The announcement comes on the second day of a visit to the United States by Chinese president Xi Jinping, who is due to meet with President Obama Friday in Washington amid a backdrop of accusations by U.S. officials of Chinese hacks of American government and businesses computers. However, OPM said Wednesday the total number of those believed to be caught up in the breaches, which included the theft of the Social Security numbers and addresses of more than 21 million people applying for or receiving government security clearances, remains the same. Before Wednesday, the agency had said it lost 1.1 million sets of fingerprints among the roughly 22 million individuals whose records were compromised. “Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” the agency said in a statement. But clearly the uses are growing as biometrics are used more frequently to assure identity, in secure government facilities and even on personal iPhones.

Investigators have assumed that China is building a huge database of information about US officials or contractors who may end up entering China or doing business with it. So those affected by this breach may find themselves dealing with the fallout for years. “The fact that the number [of fingerprints breached] just increased by a factor of five is pretty mind-boggling,” said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy & Technology. “I’m surprised they didn’t have structures in place to determine the number of fingerprints compromised earlier during the investigation.” “OPM keeps getting it wrong,” said Rep. Jason Chaffetz, R-Utah. “I have zero confidence in OPM’s competence and ability to manage this crisis.” As fingerprints increasingly replace passwords as a day-to-day security measure for unlocking your iPhone or even your home, security experts have grown concerned about how hackers might use them.

Federal experts believe the potential for “misuse” of the stolen fingerprints is currently limited, according to OPM, but that “could change over time as technology evolves.” It also said an interagency working group including experts from law enforcement and the intelligence community will review ways that the fingerprint data could be abused and try to develop ways to prevent that from happening. “If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach,” OPM said. For American intelligence agencies, the notion that the Chinese have fingerprints on millions of federal security clearance holders, some of whom may be intelligence officers overseas, is troubling. Any intelligence officer whose prints have been taken would face great risk in operating under an alias because those prints would give away someone’s true identity.

Other data on the forms that were obtained, about matters as varied as bankruptcies and personal and sexual relationships, could be used for blackmail. OPM officials say they suspect hackers gained access to the OPM network in May 2014 via a contractor’s stolen login information, and were inside the system for almost a year before the smaller hack was discovered in April. OPM spokesman Samuel Schumach said in the statement that the agency identified the “additional fingerprint data not previously analyzed” while working with the Department of Defense.

Lawmakers have harshly criticized the personnel agency’s handling of the data breach and its aftermath — and its habit of periodically revising upward the amount of information that was lost. Officials said they discovered the second, larger hack while investigating the first, and that they suspected both hacks were the work of the same party. Mike Rogers, the director of the Pentagon’s National Security Agency, has said his agency was brought in to help. “Today’s blatant news dump is the clearest sign yet that the administration still acts like the OPM hack is a PR crisis instead of a national security threat,” said Republican Sen. Government officials have not been able to explain publicly why it took more than a year to discover that information was leaving its systems at a tremendous rate. In response, Schumach said the agency only “very recently” learned of the new fingerprint data, and confirmed the final number on Wednesday morning.

Rogers, said it had seen no evidence that the data lifted from the personnel agency had been used for any financial purpose, such as gaining access to bank accounts or credit cards. While in Washington, Xi and Obama are expected to announce, at a minimum, that they are working together on new rules governing cyberspace that would amount to a first effort at a digital arms-control agreement. The stolen records included detailed biographical forms that federal employees must fill out to obtain security clearances, and they would have provided identifying information about friends and family in the U.S. and overseas. That kind of information would give the Chinese vast new opportunities to target people for recruitment, a process that can take years of intelligence-gathering. It also could allow the Chinese to pinpoint American intelligence officers abroad, given that CIA case officers are not in the database unless they held a previous government job.

And testifying to Congress alongside Rogers recently, he pushed back at lawmakers who called the breach at OPM an “attack.’’ Instead, he suggested, it was ordinary espionage. But despite those public statements, several officials have said in background briefings that the scale of the breach was so vast that it might require some kind of government response. Hackers did not just get the data on federal employees, but also on job applicants, contractors, and many others who have been subjected to government background checks. “It was so big,” one senior intelligence official said, “that we have to ask the question of whether the scope of it changed the nature of the theft.” Although Obama has hinted at sanctions against China, largely for intellectual property theft, the administration has decided to put off the decision until Xi’s visit is complete.

Our partners
Follow us
Contact us
Our contacts

About this site