More Than Five Million Fingerprints Stolen In US Government Hack

The attack that hit the US Office of Personnel Management (OPM), the body which handles staff records and security clearances, stole more fingerprint data than first thought.

The devastating hack was detected back in April, and US authorities are looking into a possible Chinese connexion, although China has denied it was behind the hack.

Compromised Fingerprints

At the time of the incident, it was reported that the hack had hit OPM’s IT systems and data stored at the Department of the Interior’s data centre, a shared service centre for federal agencies. That hack compromised the personal data of millions of 21.5 million US government employees, including 1.1 million fingerprints belonging to government staff.

But now it seems that the hackers actually got away with about 5.6 million fingerprint records, 4.5 million more than initially reported. The discovery came during an ongoing analysis of the data breach.

“As part of the government’s ongoing work to notify individuals affected by the theft of background investigation records, the Office of Personnel Management and the Department of Defense have been analysing impacted data to verify its quality and completeness,” said the OPM.

“During that process, OPM and DoD identified archived records containing additional fingerprint data not previously analysed,” it said. “Of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million. This does not increase the overall estimate of 21.5 million individuals impacted by the incident.”

The fact that the hackers now have many more fingerprints at their disposal will no doubt be raising alarm bells internally. But publicly, the OPM is saying that the ability to misuse fingerprint data is limited (at the time being).

“As we have stated previously, all individuals impacted by this intrusion and their minor dependent children (as of July 1, 2015) are eligible for identify theft and fraud protection services, at no cost to them,” said the OPM. “In conjunction with the Department of Defense, OPM is working to begin mailing notifications to impacted individuals, and these notifications will proceed on a rolling basis.”

The fingerprint revelation comes at a time when the US is preparing for the state visit of Chinese President Xi Jinping. President Obama will raise the issue of Chinese hacking in talks with Xi at the White House later this week.

Chinese Aggression?

China has been repeatedly blamed in the past for a number of “state sponsored” attacks against US government departments and businesses. Attempts by both countries to tackle the scourge of cyber crime together stalled last year.

Matters were not helped when the US filed hacking charges against Chinese army personnel. In late May 2014, the US filed indictments against five members of Unit 61398 of the Chinese People’s Liberation Army (PLA).

Previous “state sponsored” attacks have hit healthcare provider Anthem; US Investigations Services (USIS), the largest provider of background investigations to the American government; as well as numerous defence contractors.

As a result, President Barack Obama, created a new sanctions scheme against hackers after he signed an executive order in April this year.

America has also warned that that the United States military has the right to retaliate with military force against a cyber-attack.

What do you know about Internet security? Find out with our quiz!