Derek Hatfield/Shutterstock.com

Featured eBooks
2023 State Budget Trends
Software Bills of Materials
What's Happening in Health Tech
Pay & Benefits

How Much Damage Can Hackers Do With a Million Fingerprints From the OPM Data Breach?

The pilfering of 1.1 million fingerprints is “probably the biggest counterintelligence threat in my lifetime,” one former NSA official said.

Dustin Volz,
National Journal

|
Dustin Volz
Dustin Volz
 National Journal

The Office of Personnel Management announced last week that the personal data for 21.5 million people had been stolen. But for national security professionals and cybersecurity experts, the more troubling issue is the theft of 1.1 million fingerprints.

Much of their concern rests with the permanent nature of fingerprints and the uncertainty about just how the hackers intend to use them. Unlike a Social Security number, address, or password, fingerprints cannot be changed—once they are hacked, they're hacked for good. And government officials have less understanding about what adversaries could do or want to do with fingerprints, a knowledge gap that undergirds just how frightening many view the mass lifting of them from OPM.

"It's probably the biggest counterintelligence threat in my lifetime," said Jim Penrose, former chief of the Operational Discovery Center at the National Security Agency and now an executive vice president at the cybersecurity company Darktrace. "There's no situation we've had like this before, the compromise of our fingerprints. And it doesn't have any easy remedy or fix in the world of intelligence."

Though the idea of hacked fingerprints conjures up troubling scenarios gleaned from Hollywood's panoply of espionage capers, not much is currently known about those that OPM said were swiped in the data breach, which began last year and has been privately linked by officials to China. In fact, the agency said it didn't even know yet specifically which personnel have had their prints compromised.

"We do not have that information at this time," said Sam Schumach, an OPM spokesman, explaining that the agency is still assessing the breach and has not yet performed a "deep dive" into the data to assess whose fingerprints are now in the hands of hackers.

Questions also remain about what the ultimate goal of the OPM hackers is, and the administration so far continues to refuse to publicly blame China for the intrusion. Some have likened the breach to an enormous surveillance operation, one that Beijing conducted in order to build databases on the ins and out of the U.S. government and to potentially coerce, blackmail, or bribe officials into divulging closely guarded secrets.

Whatever the motives, the stolen fingerprints are viewed as a uniquely important and unprecedented data heist—one that could reap huge rewards for the hackers for decades to come.

"It's really horrifying, on so many levels," said Peter Singer, a strategist at the New America Foundation and a consultant for the military who just published a book, Ghost Fleet, that imagines what a cyber-heavy 21st-century war between the U.S., China, and Russia might look like. "This is different from the other breaches because this is a cyberattack that was not about intellectual-property theft. It was not about economic advantage of some sort. This is what we call preparing the battlefield."

Part of the worry, cybersecurity experts say, is that fingerprints are part of an exploding field of biometric data, which the government is increasingly getting in the business of collecting and storing. Fingerprints today are used to run background checks, verify identities at borders, and unlock smartphones, but the technology is expected to boom in the coming decades in both the public and private sectors.

"There's a big concern [with the OPM hack] not because of how much we're using fingerprints currently, but how we're going to expand using the technology in the next 5-10 years," said Robert Lee, cofounder of Dragos Security, which develops cybersecurity software.

Also problematic is that there is "no way to reissue a fingerprint," Lee said, meaning that once a set is in the hands of a foreign adversary they are vulnerable as long as that person is working in government.

That reality could create a squeeze on government for decades to come, as agencies may be forced to forgo fingerprints for things like two-factor authentication and instead rely on another biometric, such as facial recognition or iris scans. But those could also someday be hacked, as the OPM hack showed that just about anything stored in a government database can be up for grabs.

One thing seems clear: The fingerprints of most covert CIA spies working for the government are likely not affected, because the spy agency manages it own records apart from OPM. But the records for nearly every other executive agency, from the NSA to the FBI and anything housed under the Department of Defense, were laid bare during the hack. And some CIA agents who have previously worked elsewhere in government where they were required to submit a security-clearance form to OPM are also vulnerable.

One nightmare scenario envisioned by Ramesh Kesanupalli, an expert in biometrics, is that agents traveling across borders under aliases could be spotted for their true identities when their prints are scanned. Kesanupalli also warned that the fingerprints could end up somewhere on the black market, making biometrics a novel good to be trafficked on the Internet that could be useful to a buyer for decades.

For Kesanupalli, the hack may spur the government to start adopting other biometrics more quickly in lieu of the contaminated fingerprints, noting that iris scans are not as easily hackable as prints and harder to forge than facial scans, which can sometimes dupe cameras.

But fingerprints are likely only going to grow in importance for the government in the coming years, he said, and that is true for hackers, too.

"You never know down the line where we are going to use the fingerprints," Kesanupalli said.

Penrose, the former NSA official, also speculated that most of the stolen fingerprints were likely digital scans and not the older ink-based records, which may suggest that the bulk of the prints belong to active or recent employees. The broader breach affected all employees going back to 2000, OPM said.

"Jason Bourne would be in big trouble over this," Penrose said, referencing the fictional action-movie character played by Matt Damon. "Give him some new fingerprints."

(Image via Derek Hatfield/Shutterstock.com)

NEXT STORY: Feds’ Pay Raise Takes Unexpected Diversion

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.