OPM hack included 5.6 million federal employees' fingerprints

OPM says it's not a problem now and if it ever is, it will deal with it

Just when you thought things couldn't get any worse, they do. No, we're not talking about Volkswagens, we're talking about the massive cybersecurity breach at the Office of Personnel Management (OPM), the huge federal agency that is, in effect, the federal government's human resources department.

OPM now says that 5.6 million federal employees' fingerprints were stolen at part of the hack -- more than five times the original estimate. The names, addresses, and Social Security numbers of more than 21 million federal workers past and present were lifted in the heist.

OPM released this little tidbit as Washington was distracted by the tumultuous visit of the Pope. Bad news is usually released in Washington on Friday afternoon, but a huge snowstorm, holiday, or Papal visit can also be used as cover when needed.

With its usual above-the-fray manner, OPM says the fingerprints won't be much good to the hackers -- for now, anyway -- but admitted that "could change over time as technology evolves."

Biometric threat

Sam Schumach, OPM (Photo via Twitter)

Although they have been around just about forever, fingerprints are actually part of an emerging field generally known as biometrics -- simply put, using unique bodily characteristics to identify individuals. Iris scans are already in use and other methods are close behind. Someday, we may all be known by our DNA.

The problem with biometric markers is fairly obvious -- they can't be changed. If someone steals your driver's license and Social Security numbers, you can get them replaced, though at great cost in time and aggravation. But despite what you may have seen at the movies, you can't replace your fingerprints or your iris.

This doesn't seem to worry OPM too much.

"If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach," the agency said. What that additional information might be is a bit difficult to predict, but OPM rushed to assured worried feds that it was deploying that most feared of all bureaucratic weapons -- an interagency working group. 

"[A]n interagency working group with expertise in this area – including the FBI, DHS, DOD, and other members of the Intelligence Community – will review the potential ways adversaries could misuse fingerprint data now and in the future," said OPM Press Secretary Sam Schumach in a prepared statement

"This group will also seek to develop potential ways to prevent such misuse.  If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach," Schumach added.

Largely useless

Schumach also repeated previous assurances that all affected federal employees would be eligible for what critics have described as "largely useless" ID theft monitoring services.

"Useless" is actually a mild description. The government's loss of employees' fingerprints takes the whole notion of identity theft to a new level. Previously a device used mostly by scam artists to steal money, identity theft of government operatives' fingerprints is a direct threat to national security and the individual safety of those operatives.

Imagine for a moment that you are working clandestinely in a foreign land for one of those agencies that can't be named. When you entered Country X, your fingerprints were taken at Passport Control and scanned into the totalitarian government's digital database.

Now assume that Country X is one of the purchasers of the purloined OPM documents. It takes the stolen data and runs a comparison scan with its records of all non-nationals who have entered the country over the last few years.

Bingo. You've been "made." Think OPM has a solution for that?

Take an Identity Theft Quiz. Get matched with an Authorized Partner.