OPM hackers stole 5.6 million fingerprints. Now what?

The federal Office of Personnel Management said on Wednesday that 5.6 million fingerprint files, not 1.1 million, had been stolen in the massive data breach over the summer. OPM and other agencies are working to determine how those stolen fingerprints could be misused.

Tibor Rosta/AP
The Office of Personnel Management revised the number of fingerprint data files stolen in a hack from 1.1 million to 5.6 million. Here, a migrant's fingerprints are recorded at the border between Serbia and Hungary on September 18, 2015.

Back in April, federal authorities realized that the computer systems of the federal Office of Personnel Management (OPM) were being attacked, and that hackers had stolen Social Security numbers, health information, and other data on more than 21 million current and former government workers and contractors. Among the data stolen were fingerprint files stored in the system – more than 5.6 million of them, according to a statement released on Wednesday by OPM. The agency had originally estimated the number of stolen fingerprint files at just 1.1 million.

OPM says it’s working with the FBI, the Department of Homeland Security, the Department of Defense, and other agencies to try to predict how attackers could use the stolen fingerprints, and to develop ways to mitigate the harm that might come to those whose data was stolen. “Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” OPM Press Secretary Sam Schumach wrote in the statement. “However, this probability could change over time as technology evolves.”

As more and more devices, from smartphones to laptops, ship with fingerprint readers included, the potential for misuse of stolen fingerprints grows. Attackers could couple fingerprint data with usernames and passwords to gain access to sensitive systems, or to identify government workers when they travel abroad. And while biometric security measures such as fingerprint and retina scans are in many ways more secure than old-fashioned passwords, they can never be reset if they’re stolen. 

The hack suggests that large-scale intrusion-detection measures aren’t keeping pace with increasingly sophisticated attacks against government computer systems. The Department of Homeland Security’s multibillion-dollar “Einstein” system, which has been in place in some form since 2004, analyzes network traffic to detect hacks as they’re happening – but the tactics employed in the OPM breach looked more or less like everyday network traffic, and weren’t caught until officials analyzed the data more closely after a different attack. In November 2014 the OPM Inspector General reported that the agency’s security practices amounted to a “significant deficiency,” and that eleven major systems were a “material weakness” because of how they were set up.

The White House has ordered OPM and other agencies to increase their cybersecurity measures by patching vulnerabilities, upgrading their software, and enabling multi-factor authentication for sensitive systems. President Obama said he plans to discuss cybersecurity issues with Chinese President Xi Jinping during his US visit this week.

Earlier in the summer anonymous federal officials said Chinese hackers were responsible for the breach, but China denied the charges and the US never formally blamed the country for the hack. OPM initially reported that data had been stolen on 4.2 million government workers and contractors (and their spouses and family members), but later revised the figure up to 21.5 million people.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to OPM hackers stole 5.6 million fingerprints. Now what?
Read this article in
QR Code to Subscription page
Start your subscription today