5.6 Million Fingerprints Stolen in OPM Breach

That’s five times more than the agency originally estimated.

Shutterstock
Sept. 23, 2015, 10:37 a.m.

More than one-quarter of the 21.5 mil­lion in­di­vidu­als whose sens­it­ive per­son­al data was swept up in the data breach at the Of­fice of Per­son­nel Man­age­ment last year had their fin­ger­print data com­prom­ised, the agency an­nounced Wed­nes­day.

OPM had ori­gin­ally es­tim­ated that 1.1 mil­lion fin­ger­print re­cords had been stolen when hack­ers made their way in­to the agency’s data sys­tems, but upon fur­ther ana­lys­is, in­vest­ig­at­ors from OPM and the De­fense De­part­ment found “archived re­cords” with ad­di­tion­al fin­ger­print data. The gov­ern­ment now es­tim­ates that 5.6 mil­lion in­di­vidu­als had their fin­ger­prints stolen.

The breach that com­prom­ised the bio­met­ric data also af­fected So­cial Se­cur­ity num­bers, health and fin­an­cial in­form­a­tion, names of re­l­at­ives, and ad­dresses. Of­fi­cials have privately linked the data breach to China.

In its an­nounce­ment, OPM sought to down­play the im­port­ance of the stolen fin­ger­print data. “Fed­er­al ex­perts be­lieve that, as of now, the abil­ity to mis­use fin­ger­print data is lim­ited,” an OPM spokes­man said in a state­ment. “However, this prob­ab­il­ity could change over time as tech­no­logy evolves.”

Some ex­perts are less con­fid­ent about the fal­lout, even now, of a breach of so many fin­ger­print re­cords. “It’s prob­ably the biggest coun­ter­in­tel­li­gence threat in my life­time,” said Jim Pen­rose—former chief of the Op­er­a­tion­al Dis­cov­ery Cen­ter at the Na­tion­al Se­cur­ity Agency and now an ex­ec­ut­ive vice pres­id­ent at the cy­ber­se­cur­ity com­pany Dark­trace—earli­er this sum­mer.

“There’s no situ­ation we’ve had like this be­fore, the com­prom­ise of our fin­ger­prints. And it doesn’t have any easy rem­edy or fix in the world of in­tel­li­gence,” Pen­rose said.

The gov­ern­ment is put­ting to­geth­er a group of ex­perts from De­fense, FBI, the Home­land Se­cur­ity De­part­ment, and oth­er agen­cies to ana­lyze the po­ten­tial harm of the loss of this fin­ger­print data, OPM an­nounced Wed­nes­day, and find ways to pre­vent ex­ploit­a­tion of the data.

For now, the in­di­vidu­als whose fin­ger­prints were stolen will not get spe­cial treat­ment from the gov­ern­ment. They, like the rest of the 21.5 mil­lion people im­plic­ated in the cy­ber­at­tack, will re­ceive three years of iden­tity-theft pro­tec­tion ser­vices from Iden­tity Guard, which was awar­ded a $133 mil­lion con­tract earli­er this month.

None of the 21.5 mil­lion in­di­vidu­als have been no­ti­fied yet, ac­cord­ing to the OPM spokes­man, but OPM Act­ing Dir­ect­or Beth Cobert has said the first no­ti­fic­a­tions should go out by the end of this month.

The news, which co­in­cided with a his­tor­ic ad­dress from Pope Fran­cis and Pres­id­ent Obama at the White House, did not es­cape law­makers’ no­tice. “Today’s blatant news dump is the clearest sign yet that the ad­min­is­tra­tion still acts like the OPM hack is a PR crisis in­stead of a na­tion­al se­cur­ity threat,” said Sen. Ben Sas­se, a Re­pub­lic­an from Neb­raska. “The Amer­ic­an people have no reas­on to be­lieve that they’ve heard the full story and every reas­on to be­lieve that Wash­ing­ton as­sumes they are too stu­pid or pre­oc­cu­pied to care about cy­ber­se­cur­ity.”

“OPM keeps get­ting it wrong,” said House Over­sight Com­mit­tee Chair­man Jason Chaf­fetz, a long­time crit­ic of the agency’s post-breach man­age­ment. “This breach con­tin­ues to worsen for the 21.5 mil­lion Amer­ic­ans af­fected. I have zero con­fid­ence in OPM’s com­pet­ence and abil­ity to man­age this crisis. OPM’s IT man­age­ment team is not up to the task. They have bungled this every step of the way.”

The agency’s an­nounce­ment comes just a day be­fore Chinese Pres­id­ent Xi Jin­ping is sched­uled to ar­rive in Wash­ing­ton, D.C., for a series of high-level meet­ings. Pres­id­ent Obama has said that cy­ber­se­cur­ity will be high on the meet­ing agenda, and of­fi­cials have in­dic­ated they will be firm on the is­sue of state-sponsored cy­ber­at­tacks from China.

In a speech in Seattle yes­ter­day, Xi denied that China is in­volved in cy­ber­at­tacks. “The Chinese gov­ern­ment will not, in whatever form, en­gage in com­mer­cial thefts or en­cour­age or sup­port such at­tempts by any­one,” Xi said. “Both com­mer­cial cy­ber­theft and hack­ing against gov­ern­ment net­works are crimes that must be pun­ished in ac­cord­ance with law and rel­ev­ant in­ter­na­tion­al treat­ies.”

What We're Following See More »
WANTS IT BY MAY 1
Nadler Subpoenas Unredacted Report
1 days ago
THE LATEST
ANNOUNCEMENT NEXT WEEK
Biden Running
1 days ago
THE DETAILS
ONLY TWO ARE KNOWN
Mueller Made 14 Criminal Referrals
2 days ago
THE LATEST
POSTED ONLINE
The Report Is Here
2 days ago
THE LATEST
BARR IS OK WITH MUELLER TESTIFYING
Nadler Asks Mueller to Testify By May 23
2 days ago
THE LATEST
×
×

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.

Login