FYI.

This story is over 5 years old.

Tech

Whoops: OPM Says Hackers Stole 5.6 Million Fingerprints, Not 1.1 Million

The hack that keeps getting worse.
Image: fired/Shutterstock

Months after hackers first broke into Office of Personnel Management (OPM), the US government agency that handles all federal employee data, the hack keeps on getting worse.

In July, OPM revealed that the hackers, apart from getting their hands on highly sensitive private data from 21.5 million people that work for the government, they had also stolen 1.1 million scans of fingerprints.

Well, forget about that: it was actually "approximately" 5.6 million fingerprints, OPM's Press Secretary Samuel Schumach said in a statement on Wednesday. What's worse, that might not even be the final number, as Schumach noted that an interagency investigation team "will continue to analyze and refine the data as it prepares to mail notification letters to impacted individuals."

Advertisement

Fingerprints are starting to be used for background checks, to verify identities at borders, or to unlock phones, and their use is expected to increase, even in the government. Yet OPM estimates that there's a "limited" risk that the fingerprints could be abused.

"As of now, the ability to misuse this data is limited."

Asked whether OPM had any idea how the hackers, whom government officials privately believe to be Chinese, could misuse those fingerprints, Schumach said that what OPM has "learned from federal experts is that as of now, the ability to misuse this data is limited."

"Experts do acknowledge that the ability to misuse this data could increase over time as technology changes," he told Motherboard in an email.

You should probably take OPM's somewhat optimistic view with a grain of salt. Not just because the agency initially grossly underestimated the damage of a hack that they missed for months, but because experts actually believe that the theft of fingerprints might be the worst part of the breach, as previously reported by The National Journal.

"It's prob­ably the biggest coun­ter­in­tel­li­gence threat in my life­time."

"It's prob­ably the biggest coun­ter­in­tel­li­gence threat in my life­time," Jim Pen­rose, the former chief of the Op­er­a­tion­al Dis­cov­ery Cen­ter at the Na­tion­al Se­cur­ity Agency, told reporter Dustin Volz. "There's no situ­ation we've had like this be­fore, the com­prom­ise of our fin­ger­prints. And it doesn't have any easy rem­edy or fix in the world of in­tel­li­gence."

Advertisement

The main reason for that is that fingerprints, unlike passwords or social security numbers, can't be changed. So if the US government continues with its plans to increase the use of biometrics like fingerprints as a form of authentication, it will have to cope with the fact that the hackers, who are likely part of the Chinese intelligence community, now have the ability to spoof US government employees fingerprints.

Spoofing fingerprints isn't just the realm of science fiction or action movies anymore. In 2013, a German hacker

showed

that it was relatively easy to lift someone's fingerprint from, say, a glass, and reproduce it to

unlock an iPhone

.