The Office of Personnel Management (OPM) announced last week that 5.6 million fingerprint records were stolen in a data breach in April of this year, more than 5 times the original estimate of 1.1 million. 21.5 million people were impacted by this data breach, including current and former federal employees, job applicants, contractors, and others that have had a federal background check. The fingerprint theft was discovered when OPM and the DOD found archived fingerprint records during an analysis of impacted data. OPM Director Katherine Archuleta resigned in July.

Biometric Scanner
A biometric scanner (U.S. Navy photo by Aaron Schoenfeld)

Biometrics like fingerprints were not the only data stolen – social security numbers, names, addresses, health information, and financial records were also breached by the attackers. However, unlike numerical and assigned data such as names and even social security numbers, biometrics cannot be reassigned: “You only have 10 [biometric] passwords – if you’re lucky to have all of your fingers,” says Ryan Wilk, an anti-fraud and biometrics expert at NuData Security.

OPM has tried to downplay the significance of the theft, noting in a statement that “the ability to misuse fingerprint data is limited.” However, as authentication methods evolve, fingerprint data may become more important. OPM has announced the creation of a working group composed of the FBI, DHS, DOD, and other intelligence community members with the purpose of analyzing the potential impact of the theft. Affected individuals will be notified and offered free identify theft and fraud protection services. Officials are concerned that adversaries could use the data to identify intelligence agents, defense personnel, and government contractors; the CIA pulled officers from the U.S. Embassy in Beijing as a precautionary measure after the breach.

The intelligence community suspects that Chinese hackers are behind the breach, though government officials have not publically blamed China. There is speculation that China is building a massive database of American officials and government contractors.

Sources and Further Reading:

  1. Millions of Fingerprints Stolen in US Government Hack – BBC
  2. OPM says 5.6 million fingerprints stolen in OPM cyberattack; five times as many as previously thought – The Washington Post
  3. Statement by OPM Press Secretary Sam Schumach on Background Investigations Incident – Office of Personnel Management
  4. Stolen OPM Fingerprints: What’s the Risk? – Bank Info Security
  5. Hackers Took Fingerprints of 5.6 Million U.S. Workers, Government Says – The New York Times
  6. CIA pulled officers from Beijing after breach of federal personnel records – The Washington Post