5.6 Million Fingerprints Stolen in OPM Breach

That's five times more than the agency originally estimated.


More than one-quarter of the 21.5 million individuals whose sensitive personal data was swept up in the data breach at the Office of Personnel Management last year had their fingerprint data compromised, the agency announced Wednesday.

OPM had originally estimated that 1.1 million fingerprint records had been stolen when hackers made their way into the agency's data systems, but upon further analysis, investigators from OPM and the Defense Department found "archived records" with additional fingerprint data. The government now estimates that 5.6 million individuals had their fingerprints stolen.

The breach that compromised the biometric data also affected Social Security numbers, health and financial information, names of relatives, and addresses. Officials have privately linked the data breach to China.

In its announcement, OPM sought to downplay the importance of the stolen fingerprint data. "Federal experts believe that, as of now, the ability to misuse fingerprint data is limited," an OPM spokesman said in a statement. "However, this probability could change over time as technology evolves."

Some experts are less confident about the fallout, even now, of a breach of so many fingerprint records. "It’s prob­ably the biggest coun­ter­in­tel­li­gence threat in my life­time," said Jim Pen­rose—former chief of the Op­er­a­tion­al Dis­cov­ery Cen­ter at the Na­tion­al Se­cur­ity Agency and now an ex­ec­ut­ive vice pres­id­ent at the cy­ber­se­cur­ity com­pany Dark­trace—earlier this summer.

“There’s no situ­ation we’ve had like this be­fore, the com­prom­ise of our fin­ger­prints. And it doesn’t have any easy rem­edy or fix in the world of in­tel­li­gence," Penrose said.

The government is putting together a group of experts from Defense, FBI, the Homeland Security Department, and other agencies to analyze the potential harm of the loss of this fingerprint data, OPM announced Wednesday, and find ways to prevent exploitation of the data.

For now, the individuals whose fingerprints were stolen will not get special treatment from the government. They, like the rest of the 21.5 million people implicated in the cyberattack, will receive three years of identity-theft protection services from Identity Guard, which was awarded a $133 million contract earlier this month.

None of the 21.5 million individuals have been notified yet, according to the OPM spokesman, but OPM Acting Director Beth Cobert has said the first notifications should go out by the end of this month.

The news, which coincided with a historic address from Pope Francis and President Obama at the White House, did not escape lawmakers' notice. “Today's blatant news dump is the clearest sign yet that the administration still acts like the OPM hack is a PR crisis instead of a national security threat," said Sen. Ben Sasse, a Republican from Nebraska. "The American people have no reason to believe that they've heard the full story and every reason to believe that Washington assumes they are too stupid or preoccupied to care about cybersecurity."

"OPM keeps getting it wrong," said House Oversight Committee Chairman Jason Chaffetz, a longtime critic of the agency's post-breach management. "This breach continues to worsen for the 21.5 million Americans affected. I have zero confidence in OPM’s competence and ability to manage this crisis. OPM's IT management team is not up to the task. They have bungled this every step of the way."

The agency's announcement comes just a day before Chinese President Xi Jinping is scheduled to arrive in Washington, D.C., for a series of high-level meetings. President Obama has said that cybersecurity will be high on the meeting agenda, and officials have indicated they will be firm on the issue of state-sponsored cyberattacks from China.

In a speech in Seattle yesterday, Xi denied that China is involved in cyberattacks. "The Chinese government will not, in whatever form, engage in commercial thefts or encourage or support such attempts by anyone," Xi said. "Both commercial cybertheft and hacking against government networks are crimes that must be punished in accordance with law and relevant international treaties."