The federal Office of Personnel Management says 5.6 million people’s fingerprints were stolen as part of recent database hacks. The Washington Post says that is more than five times the 1.1 million officials estimated when the cyberattacks were disclosed this summer. The total number of those believed to be caught up in the breaches, which included the theft of the Social Security numbers and addresses 21 million former and current government employees, remains the same. OPM and the Department of Defense were reviewing the theft of background investigation records when they identified more fingerprint data that had been exposed. Breaches involving biometric data like fingerprints are concerning to privacy experts because of their permanence: Unlike passwords and Social Security numbers, fingerprints cannot be changed. Those affected by this breach may find themselves grappling with the fallout for years.
“The fact that the number [of fingerprints breached] just increased by a factor of five is pretty mind-boggling,” said Joseph Lorenzo Hall of the Center for Democracy & Technology. “I'm surprised they didn’t have structures in place to determine the number of fingerprints compromised earlier during the investigation.” Rep. Jason Chaffetz (R-UT) said, “OPM keeps getting it wrong. I have zero confidence in OPM's competence and ability to manage this crisis.” As fingerprints increasingly replace passwords as a day-to-day security measure for unlocking iPhones or even homes, security experts have grown concerned about how hackers might leverage them. China is suspected of the breaches, perhaps to build a massive database on Americans. U.S. government officials have declined to blame China publicly. Chinese President Xi Jinping, visiting the U.S., called China a strong defender of cybersecurity and a victim of hacking himself in a speech in Seattle.