The number of fingerprints stolen in OPM hack rose to 5.6 million

Once again, the scope of the breach at the US Office of Personnel Management has been amended: OPM’s press secretary Sam Schumach announced on Wednesday that “of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million.”

If you’re wondering how come they haven’t discovered this fact sooner, it’s because only now the “OPM and DoD identified archived records containing additional fingerprint data not previously analyzed.”

Schumach then tried to reassure potentially affected individuals: “Federal experts believe that, as of now, the ability to misuse fingerprint data is limited. However, this probability could change over time as technology evolves. Therefore, an interagency working group with expertise in this area – including the FBI, DHS, DOD, and other members of the Intelligence Community – will review the potential ways adversaries could misuse fingerprint data now and in the future. This group will also seek to develop potential ways to prevent such misuse. If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach.”

But the fact remains that, unlike passwords, fingerprints can’t be changed. If, as US officials believe, the breach has been perpetrated by the Chinese, any of these individuals – whether they work for the US government or just wanted to – will be easily recognized for who they are if they travel to China and are required at some point (for example, when they enter the country) to provide their fingerprints.

While US government officials are becoming increasingly worried about the poor job the OPM has been doing in the wake of the breach and before it, and what this means for the country, potentially affected individuals have even more to worry.

Biometrics, and fingerprints in particular, are increasingly being used to identify users in their day-to-day lives. The fact that an unknown entity has that data, and will almost surely use it in a way that could endanger their lives and livelihood at one point in time, is definitely a daunting prospect. Free identify theft and fraud protection services offered by the OPM to the affected individuals are, I imagine, a poor consolation.