OPM Breach Snags 5 Million Fingerprints
More bad news surfaced for victims of the Office of Personnel Management breach reported in June 2015. The agency said that of the 21.5 million individuals whose information was hacked, 5.6 million fingerprints had their fingerprints lifted.
As part of the government’s effort to notify individuals affected by the theft of background investigation records, the OPM and Department of Defense analyzed impacted data to verify its quality and completeness. During that process, it was discovered that the number of individuals with stolen fingerprints stood at 5.6 million, not 1.1 million as previously thought.
Be sure to register today for Data Breach Defense, the free CU Times cybersecurity virtual conference on Oct. 6. Find out the latest credit union liability and risks, as well as security measures you can take to ward off cybercriminals.
News of the massive breaches began in April 2015, when the OPM discovered a separate but related incident in which personal data was stolen from 4.2 million current and former Federal government employees. Then, in June 2015, while investigating the prior event, the OPM discovered an additional compromise of background investigation records belonging to 21.5 million current, former and prospective Federal employees and contractors.
"Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” OPM Press Secretary Sam Schumach said. “However, this probability could change over time as technology evolves.”
An interagency working group that includes the FBI, Department of Homeland Security, DOD and other members of the intelligence community will review ways adversaries could misuse the fingerprint data.
Breaches involving biometric data such as fingerprints are particularly concerning because this data cannot be changed, and analysts say the consequences could linger for years.
“Spoofing fingerprints is no longer something from a sci-fi movie,” Ryan Wilk, director of customer success at the Vancouver-based NuData Security, said. “It is happening and will increase more as cheaper tools make their way onto the Dark Web.”
Wilk continued, “By combining the information stolen from these breaches, hackers have the potential to compile comprehensive user identities. In other words, they’ve now got a full database of information that could be used for multiple fraudulent and nefarious purposes into generations to come. They are able to use the stolen information and fingerprints to create more comprehensive ‘identity bundles’ which sell for a higher value to hackers. With more complete information, more damaging fraud can take place.”
With biometric data in the wrong hands as a result of the OPM hack, organizations are at a huge risk if they rely on the centralized storage of biometric data, Bojan Simic, chief technology officer for the New York City-based biometrics-as-a-service provider HYPR, emphasized.
“However, this brings us back to the question, 'Are biometrics being done correctly?'” Simic asked. “Placing millions of people's biometric signatures into a central repository – just as it is often done with passwords – is an extraordinarily risky policy because unlike passwords, biometric data cannot be changed.”
Stu Sjouwerman, founder/CEO of the Clearwater, Fla.-based Knowbe4, noted, “Having fingerprints stolen on top of highly confidential personal information while working for the U.S. government is adding insult to injury. This allows bad guys to practically fully impersonate you or even worse, create false fingerprint evidence at either crime scenes or espionage cases which opens up further opportunities for extortion, blackmail and spear phishing.”
Normally, for hackers looking to make sales, more stolen information is better. So in this case, they grabbed everything they could and can now up the price for people developing exploits for fingerprints, Ondrej Krehel, founder/CEO of the New York City-based cybersecurity intelligence firm LIFARS, explained.
“Fingerprints can be looked up in government or medical databases, where having this may help to illuminate criminal or medical records,” Krehel said. “These can be used for blackmail or impersonation. There are also other records that imbed fingerprints into their documents, cards, chips, etc. These will now be able to be faked with higher accuracy, especially if they come into play later on.”
Mike Chase, chief technology officer for the Gardena, Calif.-based web hosting company dinCloud, added, “The OPM breach is unique in that fingerprint data gets very personal, because everything from your iPhone to many residential gun safes use fingerprint technology as security. This comes at a time when private employers and public government agencies are pressing workers, consumers and citizens to supply an ever increasing amount of personal data, psychological testing, drug testing, fingerprints and more to institutions who can’t guarantee their safety.”