Gov't Severely Underestimated How Many Fingerprints Were Stolen in Data Hack

The federal Office of Personnel Management announced this week that it had underestimated fingerprint data stolen in a massive hack of its system earlier this year.

Photo credit: Shutterstock

In July it had said the fingerprint data of 1.1 million individuals was compromised in the hack. On Wednesday, OMP upped that number to 5.6 million.

"As part of the government’s ongoing work to notify individuals affected by the theft of background investigation records, the Office of Personnel Management and the Department of Defense have been analyzing impacted data to verify its quality and completeness," a news release from the office stated. "During that process, OPM and DOD identified archived records containing additional fingerprint data not previously analyzed."

Letters will be sent to the people who were impacted by this breach, but, for now, experts reviewing the situation believe misuse of this data is limited.

"However, this probability could change over time as technology evolves," OPM's statement acknowledged. "Therefore, an interagency working group with expertise in this area – including the FBI, DHS, DOD, and other members of the Intelligence Community – will review the potential ways adversaries could misuse fingerprint data now and in the future."

OMP said the group also intends to be proactive, seeing if there are ways to prevent misuse in the first place.

In July, when it was revealed that fingerprint data was included in the breach, CNN reported cybersecurity expert Robert Lee said the theft of this data, over passwords, for example, is particularly concerning.

"It's not like they have someone's password. Fingerprints are data that doesn't change. They'll never change. Twenty years from now, this will still be useful," he told CNN.

In total, 21.5 million individuals were impacted by the breach, which included information like social security numbers and other sensitive data. The government is providing identity theft and fraud protection free of charge to all individuals and their minor children affected by the hack. 

“Today's blatant news dump is the clearest sign yet that the administration still acts like the OPM hack is a PR crisis instead of a national security threat," Sen. Ben Sasse (R-Neb.) said in a statement. "The American people have no reason to believe that they've heard the full story and every reason to believe that Washington assumes they are too stupid or preoccupied to care about cyber security."

Jason Chaffetz, chairman of the House Oversight & Government Reform Committee, also issued a statement blasting OPM because it "keeps getting it wrong."

"This breach continues to worsen for the 21.5 million Americans affected," the Republican congressman from Utah said. "I have zero confidence in OPM’s competence and ability to manage this crisis. OPM's IT management team is not up to the task. They have bungled this every step of the way."

—

Front page image via Shutterstock. This story has been updated to include more information.