OPM Fingerprint Breach 5 Times Larger Than Originally Thought

Written by

The US Office of Personnel Management (OPM) has admitted that 5.6 million people are now estimated to have had their fingerprint information stolen—which could have a big impact on future biometric security initiatives.

The federal government’s main employment body turns out to have significantly undershot its estimates as to how many people were affected by the breach that was uncovered in the summer. The number of people whose prints were lifted, so to speak, was originally thought to be about 1.1 million.

Meanwhile, about 22.1 million individuals had their Social Security Numbers and other sensitive information affected by a pair of hacks—this number has not been revised.

While the fingerprint heist shouldn’t be able to do much harm right now, the ramifications of the issue are likely to be far-ranging as far as cybercrime goes.

“Biometrics like fingerprints are the passwords of the future, and the staggering 5.6 million people of interest who have had their future passwords stolen from OPM are exposed to potential threats no one really understands,” said Jonathan Sander, VP of product strategy for Lieberman Software, in a comment. “If they are used well, fingerprints can be a very strong way to secure systems. As we learned from the recent Ashley Madison analysis, though, you can take potentially good security (encryption in that case) and use it so poorly that the bad guys get a big leg up.”

He pointed out that we simply don’t know what shortcuts may exist in future applications that will allow a mere shadow of a print like the data OPM had to become the way future breaches are pulled off.

Worse, contrary to a popular belief, fingerprints are not unique, and out of 5.6 million fingerprints compromised, there can be quite a few people who have fingerprints similar enough to be accepted by the biometric authentication system.  

“Now, if there is someone with access to top secret information, and his fingerprint data can be matched to someone else with a known gambling problem (known from the background checks also leaked by OPM), the attacker has a way to potentially circumvent biometric authentication,” Igor Baikalov, chief scientist for Securonix, noted in an email. “Farfetched? Probably, but not impossible. The only good news might be that government is so much behind in implementing biometric authentication that this threat will not materialize in the near future.”

What’s hot on Infosecurity Magazine?