How Much Damage Can the OPM Hackers Do With a Million Fingerprints?

The pilfering of 1.1 million fingerprints is “probably the biggest counterintelligence threat in my lifetime,” one former NSA official said.

Dustin Volz
Add to Briefcase
Dustin Volz
July 14, 2015, 11:14 a.m.

The Of­fice of Per­son­nel Man­age­ment an­nounced last week that the per­son­al data for 21.5 mil­lion people had been stolen. But for na­tion­al se­cur­ity pro­fes­sion­als and cy­ber­se­cur­ity ex­perts, the more troub­ling is­sue is the theft of 1.1 mil­lion fin­ger­prints.

Much of their con­cern rests with the per­man­ent nature of fin­ger­prints and the un­cer­tainty about just how the hack­ers in­tend to use them. Un­like a So­cial Se­cur­ity num­ber, ad­dress, or pass­word, fin­ger­prints can­not be changed—once they are hacked, they’re hacked for good. And gov­ern­ment of­fi­cials have less un­der­stand­ing about what ad­versar­ies could do or want to do with fin­ger­prints, a know­ledge gap that un­der­girds just how fright­en­ing many view the mass lift­ing of them from OPM.

“It’s prob­ably the biggest coun­ter­in­tel­li­gence threat in my life­time,” said Jim Pen­rose, former chief of the Op­er­a­tion­al Dis­cov­ery Cen­ter at the Na­tion­al Se­cur­ity Agency and now an ex­ec­ut­ive vice pres­id­ent at the cy­ber­se­cur­ity com­pany Dark­trace. “There’s no situ­ation we’ve had like this be­fore, the com­prom­ise of our fin­ger­prints. And it doesn’t have any easy rem­edy or fix in the world of in­tel­li­gence.”

(RE­LATED: OPM An­nounces More Than 21 Mil­lion Af­fected by Second Data Breach)

Though the idea of hacked fin­ger­prints con­jures up troub­ling scen­ari­os gleaned from Hol­ly­wood’s panoply of es­pi­on­age capers, not much is cur­rently known about those that OPM said were swiped in the data breach, which began last year and has been privately linked by of­fi­cials to China. In fact, the agency said it didn’t even know yet spe­cific­ally which per­son­nel have had their prints com­prom­ised.

“We do not have that in­form­a­tion at this time,” said Sam Schu­mach, an OPM spokes­man, ex­plain­ing that the agency is still as­sess­ing the breach and has not yet per­formed a “deep dive” in­to the data to as­sess whose fin­ger­prints are now in the hands of hack­ers.

Ques­tions also re­main about what the ul­ti­mate goal of the OPM hack­ers is, and the ad­min­is­tra­tion so far con­tin­ues to re­fuse to pub­licly blame China for the in­tru­sion. Some have likened the breach to an enorm­ous sur­veil­lance op­er­a­tion, one that Beijing con­duc­ted in or­der to build data­bases on the ins and out of the U.S. gov­ern­ment and to po­ten­tially co­erce, black­mail, or bribe of­fi­cials in­to di­vul­ging closely guarded secrets.

Whatever the motives, the stolen fin­ger­prints are viewed as a uniquely im­port­ant and un­pre­ced­en­ted data heist—one that could reap huge re­wards for the hack­ers for dec­ades to come.

(RE­LATED: OPM Dir­ect­or Kath­er­ine Archu­leta Quits)

“It’s really hor­ri­fy­ing, on so many levels,” said Peter Sing­er, a strategist at the New Amer­ica Found­a­tion and a con­sult­ant for the mil­it­ary who just pub­lished a book, Ghost Fleet, that ima­gines what a cy­ber-heavy 21st-cen­tury war between the U.S., China, and Rus­sia might look like. “This is dif­fer­ent from the oth­er breaches be­cause this is a cy­ber­at­tack that was not about in­tel­lec­tu­al-prop­erty theft. It was not about eco­nom­ic ad­vant­age of some sort. This is what we call pre­par­ing the bat­tle­field.”

Part of the worry, cy­ber­se­cur­ity ex­perts say, is that fin­ger­prints are part of an ex­plod­ing field of bio­met­ric data, which the gov­ern­ment is in­creas­ingly get­ting in the busi­ness of col­lect­ing and stor­ing. Fin­ger­prints today are used to run back­ground checks, veri­fy iden­tit­ies at bor­ders, and un­lock smart­phones, but the tech­no­logy is ex­pec­ted to boom in the com­ing dec­ades in both the pub­lic and private sec­tors.

“There’s a big con­cern [with the OPM hack] not be­cause of how much we’re us­ing fin­ger­prints cur­rently, but how we’re go­ing to ex­pand us­ing the tech­no­logy in the next 5-10 years,” said Robert Lee, cofounder of Dra­gos Se­cur­ity, which de­vel­ops cy­ber­se­cur­ity soft­ware.

(RE­LATED: A Timeline of Gov­ern­ment Data Breaches

Also prob­lem­at­ic is that there is “no way to re­is­sue a fin­ger­print,” Lee said, mean­ing that once a set is in the hands of a for­eign ad­versary they are vul­ner­able as long as that per­son is work­ing in gov­ern­ment.

That real­ity could cre­ate a squeeze on gov­ern­ment for dec­ades to come, as agen­cies may be forced to forgo fin­ger­prints for things like two-factor au­then­tic­a­tion and in­stead rely on an­oth­er bio­met­ric, such as fa­cial re­cog­ni­tion or iris scans. But those could also someday be hacked, as the OPM hack showed that just about any­thing stored in a gov­ern­ment data­base can be up for grabs.

One thing seems clear: The fin­ger­prints of most cov­ert CIA spies work­ing for the gov­ern­ment are likely not af­fected, be­cause the spy agency man­ages it own re­cords apart from OPM. But the re­cords for nearly every oth­er ex­ec­ut­ive agency, from the NSA to the FBI and any­thing housed un­der the De­part­ment of De­fense, were laid bare dur­ing the hack. And some CIA agents who have pre­vi­ously worked else­where in gov­ern­ment where they were re­quired to sub­mit a se­cur­ity-clear­ance form to OPM are also vul­ner­able.

One night­mare scen­ario en­vi­sioned by Ramesh Kes­anupalli, an ex­pert in bio­met­rics, is that agents trav­el­ing across bor­ders un­der ali­ases could be spot­ted for their true iden­tit­ies when their prints are scanned. Kes­anupalli also warned that the fin­ger­prints could end up some­where on the black mar­ket, mak­ing bio­met­rics a nov­el good to be traf­ficked on the In­ter­net that could be use­ful to a buy­er for dec­ades.

For Kes­anupalli, the hack may spur the gov­ern­ment to start ad­opt­ing oth­er bio­met­rics more quickly in lieu of the con­tam­in­ated fin­ger­prints, not­ing that iris scans are not as eas­ily hack­able as prints and harder to forge than fa­cial scans, which can some­times dupe cam­er­as.

But fin­ger­prints are likely only go­ing to grow in im­port­ance for the gov­ern­ment in the com­ing years, he said, and that is true for hack­ers, too.

“You nev­er know down the line where we are go­ing to use the fin­ger­prints,” Kes­anupalli said.

Pen­rose, the former NSA of­fi­cial, also spec­u­lated that most of the stolen fin­ger­prints were likely di­git­al scans and not the older ink-based re­cords, which may sug­gest that the bulk of the prints be­long to act­ive or re­cent em­ploy­ees. The broad­er breach af­fected all em­ploy­ees go­ing back to 2000, OPM said.

“Jason Bourne would be in big trouble over this,” Pen­rose said, ref­er­en­cing the fic­tion­al ac­tion-movie char­ac­ter played by Matt Da­mon. “Give him some new fin­ger­prints.”

What We're Following See More »
Trump to End Business Councils
6 hours ago
Trump and Pence to Camp David Friday
7 hours ago
Boozman Recuperating After Heart Surgery
8 hours ago

Sen. John Boozman (R-AR) "underwent heart surgery Tuesday and was recuperating in a northern Virginia hospital. He was expected to be hospitalized for three to five days. Doctors operated on Boozman, 66, for several hours, fixing a problem with his aorta." He underwent emergency heart surgery in 2014.

McConnell: “No Good Neo-Nazis”
8 hours ago
CBC Members Call for Removal of Confederate Statues from Capitol
9 hours ago

"Members of the Congressional Black Caucus are reviving calls to remove Confederate statues from the Capitol following the violence at a white nationalist rally in Virginia." Rep. Cedric Richmond, the group's chair, told ABC News that "we will never solve America's race problem if we continue to honor traitors who fought against the United States." And Mississippi Rep. Bennie Thompson said, “Confederate memorabilia have no place in this country and especially not in the United States Capitol." But a CBC spokesperson said no formal legislative effort is afoot.


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.