If you kind of blocked out the Office of Personnel Management hack because it was too ridiculous to face, you may not remember that among the 21.5 million people who had their social security numbers stolen, some also had fingerprint records compromised. Originally OPM said that about 1.1 million fingerprint records had been snatched up, but Wednesday the agency admitted that the number is actually 5.6 million. It feels like this situation will never run out of ways to get worse.
The fact that it's taken OPM so long to release an accurate fingerprint number is bizarre in itself. Joseph Lorenzo Hall, the chief technologist at the Center for Democracy & Technology, told the Washington Post, “I’m surprised they didn't have structures in place to determine the number of fingerprints compromised earlier during the investigation.”
What's even scarier, though, is that the 5.6 million people involved in the fingerprint breach have lost control of a personal authenticator that they can't change. Social Security numbers are still much more widely used, but fingerprints are a part of your body. You can't alter them. For the 5.6 million people affected, the records are out there forever.
And to twist the knife a little deeper, these aren't just any records—they're the fingerprints of federal employees, many of whom have security clearances. You can see why someone might want to steal them.
Biometrics are appealing authenticators, because you are you. But the OPM situation reveals one problem with them: Unlike passwords and credit card numbers, which are easily iterated, a breach can compromise people's biometrics for life.
OPM said in a statement:
Federal experts believe that, as of now, the ability to misuse fingerprint data is limited. However, this probability could change over time as technology evolves. Therefore, an interagency working group with expertise in this area – including the FBI, DHS, DOD, and other members of the Intelligence Community – will review the potential ways adversaries could misuse fingerprint data now and in the future. This group will also seek to develop potential ways to prevent such misuse.
Alongside the fraud protection OPM is already offering, the agency says it will extend additional protections to the 5.6 million fingerprint breach victims if bad actors develop new ways of exploiting the data in the future.
The timing of the announcement coincides with Chinese president Xi Jinping's visit to the United States this week. So far he has met with business leaders in Seattle, emphasizing that China is itself a victim of cyberattacks and does not condone cybercrime, the Wall Street Journal reports. China is still thought to have orchestrated the OPM hack.