The hack of a federal government system earlier this year got even more personal when the Office of Personnel Management revealed that fingerprint data from 5.6 million individuals (an updated estimate from 1.1 million originally) was part of the breach that already included Social Security numbers, birthday dates, place of birth and address information.
The hack reveals how biometrics, perhaps considered the gold standard of sci-fi security because they are unique to the individual, are not perfectly sound as a security measure.
"It's a password that will never change," Ebba Blitz, a security expert and president of Alertsec, told TheBlaze.
Unlike credit cards and even Social Security numbers, fingerprints cannot just be changed in the event of a data hack.
And yet, Ken Dort, another security expert and partner with the Intellectual Property Practice Group said that based on how biometrics are usually employed, nefarious uses of the hacked fingerprint data from a security standpoint are not very realistic (at least not yet).
"Biometric is never really a stand alone," Dort said.
While some people might use their fingerprint to get into their smartphones, as a commonplace example, Dort said this is just a proxy for typing in a numbered password. In the defense world, biometrics are used as part of a three-step authentication, he explained.
Dort said with such a system you would have the "something you know (a password), something you are (a fingerprint or iris) and the last would be something you have (a key or RFID chip). You either have all three of those at once."
The James Bond-like scenario of someone using the stolen fingerprint data to physically replicate someone's fingerprint with a 3-D printer or the like and use it to gain access to information they shouldn't is not very likely, Dort said.
Where the hacked fingerprint data could be concerning is if it is used to reveal or confirm the identity of, say, an American or foreign spy working for the U.S.
"Somebody now has their fingerprints and could figure out who they are," Dort said.
In a statement last week, OPM said that the "ability to misuse fingerprint data is limited. However, this probability could change over time as technology evolves. Therefore, an interagency working group with expertise in this area – including the FBI, DHS, DOD, and other members of the Intelligence Community – will review the potential ways adversaries could misuse fingerprint data now and in the future. This group will also seek to develop potential ways to prevent such misuse."
Overall, Dort said the issue with the OPM hack is that it's "the federal government and they’re supposed to be above all that."
"[It's] just waving the red flag that the government systems are in sore need of upgrading," Dort said, citing other examples of breaches over the last few years. "We can’t really say any more than that, they just need to get it done."
What's more, he said the person the "average Joe needs to rely on the most for their data security is themselves."
"Take it into your own hands to make sure that you change passwords regularly, that you don't write passwords down, that you check on credit reports every six months or so. Check your credit card records regularly. I urge people to really be proactive on their own."
Another way to do this would be to establish two-factor authentication when possible. Google, for example, has a two-step verification system for users to initiate. When a user has enabled this type of verification, Google asks the person logging on for their password and also another piece of information, such as a number that was just texted to them by Google.
For individuals who are extremely security conscious and for some businesses, Blitz recommended taking it the next level with encryption.
"How do you know that you have encrypted exactly the right files that might be hacked at some point?" she asked. "You should encrypt the hard disk [of the computer]. If that is encrypted and you don’t have the correct key the computer won’t even boot — it won’t even start. You should protect yourself at the lowest possible level."
Blitz acknowledged that for the private person and smaller companies that don't have an IT department, this might sound daunting. But she said that's the point of her company Alertsec, which provides the IT infrastructure for encryptions services.
"It’s like buying insurance," Blitz said. "You might say 'I’ll do it next week,'... but when you have a breach, when you’ve lost your computer in a taxi, in the airport, when the problem has already occurred, then it’s too late."
"I think there is no other way than to just embrace encryption," she said, calling it the next step in the evolving tech-security world. "[The hackers] are not only after the big guys anymore, they’re after small guys. They steal a little bit here, a little there. I think security needs to follow in the same tracks."
Front page image via Shutterstock. This story has been updated to correct a typo in the headline.