OPM hackers stole 5.6 million fingerprints. Now what?
The federal Office of Personnel Management said on Wednesday that 5.6 million fingerprint files, not 1.1 million, had been stolen in the massive data breach over the summer. OPM and other agencies are working to determine how those stolen fingerprints could be misused.
The federal Office of Personnel Management said on Wednesday that 5.6 million fingerprint files, not 1.1 million, had been stolen in the massive data breach over the summer. OPM and other agencies are working to determine how those stolen fingerprints could be misused.
Back in April, federal authorities realized that the computer systems of the federal Office of Personnel Management (OPM) were being attacked, and that hackers had stolen Social Security numbers, health information, and other data on more than 21 million current and former government workers and contractors. Among the data stolen were fingerprint files stored in the system 鈥 more than 5.6 million of them, according to a statement released on Wednesday by OPM. The agency had originally estimated the number of stolen fingerprint files at just 1.1 million.
OPM says it鈥檚 working with the FBI, the Department of Homeland Security, the Department of Defense, and other agencies to try to predict how attackers could use the stolen fingerprints, and to develop ways to mitigate the harm that might come to those whose data was stolen. 鈥淔ederal experts believe that, as of now, the ability to misuse fingerprint data is limited,鈥 OPM Press Secretary Sam Schumach wrote in the statement. 鈥淗owever, this probability could change over time as technology evolves.鈥
As more and more devices, from smartphones to laptops, ship with fingerprint readers included, the potential for misuse of stolen fingerprints grows. Attackers could couple fingerprint data with usernames and passwords to gain access to sensitive systems, or to identify government workers when they travel abroad. And while biometric security measures such as fingerprint and retina scans are in many ways more secure than old-fashioned passwords, they can never be reset if they鈥檙e stolen.聽
The hack suggests that large-scale intrusion-detection measures aren鈥檛 keeping pace with increasingly sophisticated attacks against government computer systems. The Department of Homeland Security鈥檚 multibillion-dollar 鈥淓instein鈥 system, which has been in place in some form since 2004, analyzes network traffic to detect hacks as they鈥檙e happening 鈥 but the tactics employed in the OPM breach looked more or less like everyday network traffic, and weren鈥檛 caught until officials analyzed the data more closely after a different attack. In November 2014 the OPM Inspector General reported that the agency鈥檚 security practices amounted to a 鈥渟ignificant deficiency,鈥 and that eleven major systems were a 鈥渕aterial weakness鈥 because of how they were set up.
The White House has ordered OPM and other agencies to increase their cybersecurity measures by patching vulnerabilities, upgrading their software, and enabling multi-factor authentication for sensitive systems. President Obama said he plans to discuss cybersecurity issues with Chinese President Xi Jinping during his US visit this week.
Earlier in the summer anonymous federal officials said Chinese hackers were responsible for the breach, but China denied the charges and the US never formally blamed the country for the hack. OPM initially reported that data had been stolen on 4.2 million government workers and contractors (and their spouses and family members), but later revised the figure up to 21.5 million people.