About Those Fingerprints Stolen in the OPM Hack

The federal agency said Wednesday it underestimated the number of people whose fingerprints were exposed in a massive data breach.  

Kacper Pempel / Reuters

The government hack believed to be the biggest in U.S. history just got worse.

The Office of Personnel Management said Wednesday it underestimated the number of people whose fingerprints were stolen in a data breach that officials said originated in China. The federal agency said 5.6 million people’s fingerprints were compromised—not 1.1 million, as previously thought.

OPM, along with the Department of Defense, has spent the summer notifying millions of current and former government employees affected by the breach. During this process, OPM said the agencies “identified archived records containing additional fingerprint data not previously analyzed.”

OPM is the federal government’s human resources department, and has the task of conducting background checks for security clearances. The breach occurred in December 2014 and was made public in early June. Back then, the Obama administration estimated that security clearance data—including fingerprints, Social Security numbers, addresses, employment history, and financial records—of 4 million people was exposed. In July, the administration revised that estimate to 21.5 million after a second intrusion was detected. OPM Director Katherine Archuleta resigned soon after.

OPM said Wednesday that “as of now, the ability to misuse fingerprint data is limited” but that “this probability could change over time as technology evolves,” The Hill reports.

Advanced technology could allow hackers in possession of fingerprints to do things you might expect to see only in Hollywood. Here’s how FiveThirtyEight colorfully explained it in July:

[Fingerprints] could be used to sniff out individuals operating in a foreign country under false identities. Imagine that you, an American spy, travel to Hackistan ostensibly to work as the ambassador’s dog walker. The Hackistani government grabs your fingerprints when you arrive in the country. But now, after their successful hack, they can check yours against the prints in the stolen OPM database. They find that your prints are a partial match with the prints of a contractor who worked for the U.S. Department of Defense a decade ago. Uh oh.

For national and cybersecurity experts, the thought of fingerprints in particular falling into the wrong hands is especially frightening. As National Journal’s Dustin Volz wrote in July:

Much of their con­cern rests with the per­man­ent nature of fin­ger­prints and the un­cer­tainty about just how the hack­ers in­tend to use them. Un­like a So­cial Se­cur­ity num­ber, ad­dress, or pass­word, fin­ger­prints can­not be changed—once they are hacked, they’re hacked for good.

Earlier this month, the Defense Department awarded a $133 million contract to an identity-theft-protection-services company to monitor the hacked data.

Marina Koren is a staff writer at The Atlantic.