The Office of Personal Management (OPM) revealed yesterday morning that the breach of the OPM background check system included roughly 5.6 million fingerprints belonging to federal employees, contractors, and other individuals subject to federal background checks. The new number, alongside the latest discovery of archived data being stolen during the breach, now quintuples the amount of individuals whose fingerprints were initially believed to be stolen in the attack. According to investigators, the previous OPM breach estimated roughly 1.1 million fingerprints had been stolen. However, the new findings have not increased the number of individuals affected, which initially stood at 4 million til it was revealed two months ago that actual number of people affected in the OPM breach is 21.5 million.
Fingerprints stolen by the attackers were collected in part of the OPM’s background investigations at all levels of sensitivity, ranging from the “National Agency Check with Written Inquires” (NACI) which serves federal employees with “moderate, low risk and non-sensitive positions,” all the way up to top-secret sensitive positions. According to leaked statements from the Obama administration, the fingerprint information that was stolen is now, at a minimum, in the hands of the foreign intelligence services of China. How or what the fingerprint data will be used for remains a mystery.
“Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” the Office of Personal Management’s Press Secretary, Sam Schumach, said in a statement published Wednesday. “However, this probability could change over time as technology evolves. Therefore, an interagency working group with expertise in this area—including the FBI, DHS, DOD, and other members of the Intelligence Community—will review the potential ways adversaries could misuse fingerprint data now and in the future…[and] also seek to develop potential ways to prevent such misuse. If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach.”
The recent revelation comes at a particularity ironic time, while the U.S. is visiting the Chinese president Xi Jinping, who said during a public appearance in Seattle that the Chinese government does not condone the hacking of U.S. targets, while pleading to partner with the U.S. to aid stopping cybercrime.
“As part of the government’s ongoing work to notify individuals affected by the theft of background investigation records, the Office of Personnel Management and the Department of Defense have been analyzing impacted data to verify its quality and completeness,” reads the statement published on the official OPM website. “During that process, OPM and [the Department of Defense] identified archived records containing additional fingerprint data not previously analyzed. Of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million.”
The OPM downplayed the significance that the biometric breach could cause, adding that “federal experts believe that, as of now, the ability to misuse fingerprint data is limited.” However, the agency said the ability to exploit stolen fingerprints “could change over time as technology evolves.”
As the OPM investigation continues, the real details behind the breach seem to worsen with each headline.