Fingerprint information belonging to 5.6 million federal government workers was stolen by hackers who infiltrated the U.S. Office of Personnel Management, the agency announced Wednesday. That’s far more than the initial estimate that 1.1 million people had their prints stolen, and more proof that the breach is much worse than it seemed when it was first revealed in June.
The announcement coincides with a visit from Chinese President Xi Jinping, who is scheduled to discuss cybersecurity with President Barack Obama Thursday. China is widely believed to be responsible for the hack.
Unlike email addresses, passwords and other personal details compromised in the OPM breach, it’s almost impossible for hacked victims to change their fingerprints. It’s a permanent identifier that, in the wrong hands, could enable an identity thief to pose under a false name forever. The Office of Personnel Management, in effect the federal government’s human resources department, did not specify which employees had fallen victim to the security breach.
“As part of the government’s ongoing work to notify individuals affected by the theft of background investigation records, the Office of Personnel Management and the Department of Defense have been analyzing impacted data to verify its quality and completeness,” states an announcement on the OPM site. “During that process, OPM and DoD identified archived records containing additional fingerprint data not previously analyzed. Of the 21.5 million individuals whose Social Security numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million.”
Security clearance background forms were also compromised in the breach, presumably helping the Chinese government -- if it is the culprit -- get an idea of which U.S. government workers might be willing to spy for them, and which Americans are already spying on Beijing.