5.6 Million Fingerprints Stolen in OPM Breach

That’s five times more than the agency originally estimated.

Sept. 23, 2015, 10:37 a.m.

More than one-quarter of the 21.5 mil­lion in­di­vidu­als whose sens­it­ive per­son­al data was swept up in the data breach at the Of­fice of Per­son­nel Man­age­ment last year had their fin­ger­print data com­prom­ised, the agency an­nounced Wed­nes­day.

OPM had ori­gin­ally es­tim­ated that 1.1 mil­lion fin­ger­print re­cords had been stolen when hack­ers made their way in­to the agency’s data sys­tems, but upon fur­ther ana­lys­is, in­vest­ig­at­ors from OPM and the De­fense De­part­ment found “archived re­cords” with ad­di­tion­al fin­ger­print data. The gov­ern­ment now es­tim­ates that 5.6 mil­lion in­di­vidu­als had their fin­ger­prints stolen.

The breach that com­prom­ised the bio­met­ric data also af­fected So­cial Se­cur­ity num­bers, health and fin­an­cial in­form­a­tion, names of re­l­at­ives, and ad­dresses. Of­fi­cials have privately linked the data breach to China.

In its an­nounce­ment, OPM sought to down­play the im­port­ance of the stolen fin­ger­print data. “Fed­er­al ex­perts be­lieve that, as of now, the abil­ity to mis­use fin­ger­print data is lim­ited,” an OPM spokes­man said in a state­ment. “However, this prob­ab­il­ity could change over time as tech­no­logy evolves.”

Some ex­perts are less con­fid­ent about the fal­lout, even now, of a breach of so many fin­ger­print re­cords. “It’s prob­ably the biggest coun­ter­in­tel­li­gence threat in my life­time,” said Jim Pen­rose—former chief of the Op­er­a­tion­al Dis­cov­ery Cen­ter at the Na­tion­al Se­cur­ity Agency and now an ex­ec­ut­ive vice pres­id­ent at the cy­ber­se­cur­ity com­pany Dark­trace—earli­er this sum­mer.

“There’s no situ­ation we’ve had like this be­fore, the com­prom­ise of our fin­ger­prints. And it doesn’t have any easy rem­edy or fix in the world of in­tel­li­gence,” Pen­rose said.

The gov­ern­ment is put­ting to­geth­er a group of ex­perts from De­fense, FBI, the Home­land Se­cur­ity De­part­ment, and oth­er agen­cies to ana­lyze the po­ten­tial harm of the loss of this fin­ger­print data, OPM an­nounced Wed­nes­day, and find ways to pre­vent ex­ploit­a­tion of the data.

For now, the in­di­vidu­als whose fin­ger­prints were stolen will not get spe­cial treat­ment from the gov­ern­ment. They, like the rest of the 21.5 mil­lion people im­plic­ated in the cy­ber­at­tack, will re­ceive three years of iden­tity-theft pro­tec­tion ser­vices from Iden­tity Guard, which was awar­ded a $133 mil­lion con­tract earli­er this month.

None of the 21.5 mil­lion in­di­vidu­als have been no­ti­fied yet, ac­cord­ing to the OPM spokes­man, but OPM Act­ing Dir­ect­or Beth Cobert has said the first no­ti­fic­a­tions should go out by the end of this month.

The news, which co­in­cided with a his­tor­ic ad­dress from Pope Fran­cis and Pres­id­ent Obama at the White House, did not es­cape law­makers’ no­tice. “Today’s blatant news dump is the clearest sign yet that the ad­min­is­tra­tion still acts like the OPM hack is a PR crisis in­stead of a na­tion­al se­cur­ity threat,” said Sen. Ben Sas­se, a Re­pub­lic­an from Neb­raska. “The Amer­ic­an people have no reas­on to be­lieve that they’ve heard the full story and every reas­on to be­lieve that Wash­ing­ton as­sumes they are too stu­pid or pre­oc­cu­pied to care about cy­ber­se­cur­ity.”

“OPM keeps get­ting it wrong,” said House Over­sight Com­mit­tee Chair­man Jason Chaf­fetz, a long­time crit­ic of the agency’s post-breach man­age­ment. “This breach con­tin­ues to worsen for the 21.5 mil­lion Amer­ic­ans af­fected. I have zero con­fid­ence in OPM’s com­pet­ence and abil­ity to man­age this crisis. OPM’s IT man­age­ment team is not up to the task. They have bungled this every step of the way.”

The agency’s an­nounce­ment comes just a day be­fore Chinese Pres­id­ent Xi Jin­ping is sched­uled to ar­rive in Wash­ing­ton, D.C., for a series of high-level meet­ings. Pres­id­ent Obama has said that cy­ber­se­cur­ity will be high on the meet­ing agenda, and of­fi­cials have in­dic­ated they will be firm on the is­sue of state-sponsored cy­ber­at­tacks from China.

In a speech in Seattle yes­ter­day, Xi denied that China is in­volved in cy­ber­at­tacks. “The Chinese gov­ern­ment will not, in whatever form, en­gage in com­mer­cial thefts or en­cour­age or sup­port such at­tempts by any­one,” Xi said. “Both com­mer­cial cy­ber­theft and hack­ing against gov­ern­ment net­works are crimes that must be pun­ished in ac­cord­ance with law and rel­ev­ant in­ter­na­tion­al treat­ies.”

What We're Following See More »
Tillerson Talking to House Foreign Affairs
6 hours ago

"Former Secretary of State Rex Tillerson was spotted entering a congressional office building on Tuesday morning for what a committee aide told The Daily Beast was a meeting with the leaders of the House Foreign Affairs committee and relevant staff about his time working in the Trump administration. ... Tillerson’s arrival at the Capitol was handled with extreme secrecy. No media advisories or press releases were sent out announcing his appearance. And he took a little noticed route into the building in order to avoid being seen by members of the media."

Trump to Nominate Barbara Barrett for Air Force Secretary
7 hours ago
House Subpoenas Hope Hicks, Annie Donaldson
8 hours ago
Trump May Begin Trade Aid Payments
11 hours ago
McGahn Doesn't Show
13 hours ago

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.