Months after hackers first broke into Office of Personnel Management (OPM), the US government agency that handles all federal employee data, the hack keeps on getting worse.
In July, OPM revealed that the hackers, apart from getting their hands on highly sensitive private data from 21.5 million people that work for the government, they had also stolen 1.1 million scans of fingerprints.
Well, forget about that: it was actually "approximately" 5.6 million fingerprints, OPM's Press Secretary Samuel Schumach said in a statement on Wednesday. What's worse, that might not even be the final number, as Schumach noted that an interagency investigation team "will continue to analyze and refine the data as it prepares to mail notification letters to impacted individuals."
Fingerprints are starting to be used for background checks, to verify identities at borders, or to unlock phones, and their use is expected to increase, even in the government. Yet OPM estimates that there's a "limited" risk that the fingerprints could be abused.
"As of now, the ability to misuse this data is limited."
Asked whether OPM had any idea how the hackers, whom government officials privately believe to be Chinese, could misuse those fingerprints, Schumach said that what OPM has "learned from federal experts is that as of now, the ability to misuse this data is limited."
"Experts do acknowledge that the ability to misuse this data could increase over time as technology changes," he told Motherboard in an email.
You should probably take OPM's somewhat optimistic view with a grain of salt. Not just because the agency initially grossly underestimated the damage of a hack that they missed for months, but because experts actually believe that the theft of fingerprints might be the worst part of the breach, as previously reported by The National Journal.
"It's probably the biggest counterintelligence threat in my lifetime."
"It's probably the biggest counterintelligence threat in my lifetime," Jim Penrose, the former chief of the Operational Discovery Center at the National Security Agency, told reporter Dustin Volz. "There's no situation we've had like this before, the compromise of our fingerprints. And it doesn't have any easy remedy or fix in the world of intelligence."
The main reason for that is that fingerprints, unlike passwords or social security numbers, can't be changed. So if the US government continues with its plans to increase the use of biometrics like fingerprints as a form of authentication, it will have to cope with the fact that the hackers, who are likely part of the Chinese intelligence community, now have the ability to spoof US government employees fingerprints.Spoofing fingerprints isn't just the realm of science fiction or action movies anymore. In 2013, a German hacker showed that it was relatively easy to lift someone's fingerprint from, say, a glass, and reproduce it to unlock an iPhone.