OPM Now Admits 5.6m Feds’ Fingerprints Were Stolen By Hackers

23 Sep 2015 | Author: | No comments yet »

Fingerprints from 5.6 million people were stolen in huge U.S. data breach.

One of the scariest parts of the massive cybersecurity breaches at the Office of Personnel Management just got worse: The agency now says 5.6 million people’s fingerprints were stolen as part of the hacks. More than a quarter of the victims in a cyberattack on the federal government — which lost data belonging to 21 million people — also had their fingerprints stolen, a federal agency said Wednesday. When they steal 5.6 million of those irrevocable biometric identifiers from U.S. federal employees—many with secret clearances—well, that’s very bad. The breach is significant because fingerprints are increasingly being used by government agencies, corporations and consumers for access to computers, buildings and other devices. “Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” Samuel Schumach, a spokesman for OPM, which is the federal government’s jobs agency, said in a statement. “However, this probability could change over time as technology evolves.” U.S. officials and private cybersecurity experts believe the OPM breach, which compromised data on 21.5 million individuals, was carried out by the Chinese government. It also said an interagency working group including experts from law enforcement and intelligence community will review ways that the fingerprint data could be abused and try to develop ways to prevent that from happening. “If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach,” OPM said.

Officials are quick to note that this digit data won’t be as useful to the hackers as the other sensitive information leaked through the attack (fooling a fingerprint reader requires some skill). The people in the hacked database included current and former federal employees, as well as people who had applied for background checks and their relatives. However, there’s a concern that the thieves could find a way to misuse those prints — and it’s not as if you can change your fingers once they’ve been compromised. Some privacy advocates are concerned about the latest disclosures. “The fact that the number [of finger prints breached] just increased by a factor of five is pretty mindboggling,” said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy & Technology. “I’m surprised they didn’t have structures in place to determine the number of fingerprints compromised earlier during the investigation.” At least one lawmaker criticized the timing of the release, which occurred as the Pope is visiting Washington: “Today’s blatant news dump is the clearest sign yet that the administration still acts like the OPM hack is a PR crisis instead of a national security threat,” said Sen. But OPM had previously confirmed that the data of 21.5 million federal employees was potentially compromised by the hack—which likely originated in China—and that those victims included intelligence and military employees with security clearances.

The stolen information includes Social Security numbers; findings from background check interviews; information about past addresses, education and jobs; criminal and financial histories; and “some information regarding mental health.” Many reports have linked the attack to Chinese hackers. But that identity theft protection, which cost $133 million in likely misspent tax dollars, doesn’t begin to address the national security implications of having the fingerprints of high-level federal officials in the hands of hackers who are potentially employed by a foreign government. You’ll get to keep your current user name (as long as it doesn’t contain invalid characters, in which case you’ll have to go through a few extra steps to make the transfer), and all your old comments will eventually (not immediately) migrate with you.

Aside from the 21.5 million social security numbers taken by attackers and the newly confessed 5.6 million fingerprints, the agency has also confirmed that hackers gained access to many victims’ SF-86 forms, security clearance questionnaires that include highly personal information such as previous drug use or extramarital affairs that could be used for blackmail. “The American people have no reason to believe that they’ve heard the full story and every reason to believe that Washington assumes they are too stupid or preoccupied to care about cyber security,” Senator Ben Sasse wrote today in an email.

Our partners
Follow us
Contact us
Our contacts

About this site