OPM hackers stole 5.6 million fingerprints. Now what?

The federal Office of Personnel Management said on Wednesday that 5.6 million fingerprint files, not 1.1 million, had been stolen in the massive data breach over the summer. OPM and other agencies are working to determine how those stolen fingerprints could be misused.

Back in April, federal authorities realized that the computer systems of the federal Office of Personnel Management (OPM) were being attacked, and that hackers had stolen Social Security numbers, health information, and other data on more than 21 million current and former government workers and contractors. Among the data stolen were fingerprint files stored in the system – more than 5.6 million of them, according to a statement released on Wednesday by OPM. The agency had originally estimated the number of stolen fingerprint files at just 1.1 million.

OPM says it’s working with the FBI, the Department of Homeland Security, the Department of Defense, and other agencies to try to predict how attackers could use the stolen fingerprints, and to develop ways to mitigate the harm that might come to those whose data was stolen. “Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” OPM Press Secretary Sam Schumach wrote in the statement. “However, this probability could change over time as technology evolves.”

As more and more devices, from smartphones to laptops, ship with fingerprint readers included, the potential for misuse of stolen fingerprints grows. Attackers could couple fingerprint data with usernames and passwords to gain access to sensitive systems, or to identify government workers when they travel abroad. And while biometric security measures such as fingerprint and retina scans are in many ways more secure than old-fashioned passwords, they can never be reset if they’re stolen. 

The hack suggests that large-scale intrusion-detection measures aren’t keeping pace with increasingly sophisticated attacks against government computer systems. The Department of Homeland Security’s multibillion-dollar “Einstein” system, which has been in place in some form since 2004, analyzes network traffic to detect hacks as they’re happening – but the tactics employed in the OPM breach looked more or less like everyday network traffic, and weren’t caught until officials analyzed the data more closely after a different attack. In November 2014 the OPM Inspector General reported that the agency’s security practices amounted to a “significant deficiency,” and that eleven major systems were a “material weakness” because of how they were set up.

The White House has ordered OPM and other agencies to increase their cybersecurity measures by patching vulnerabilities, upgrading their software, and enabling multi-factor authentication for sensitive systems. President Obama said he plans to discuss cybersecurity issues with Chinese President Xi Jinping during his US visit this week.

Earlier in the summer anonymous federal officials said Chinese hackers were responsible for the breach, but China denied the charges and the US never formally blamed the country for the hack. OPM initially reported that data had been stolen on 4.2 million government workers and contractors (and their spouses and family members), but later revised the figure up to 21.5 million people.