Millions of fingerprints stolen in US government hack

Image source, AP

Image caption, The hack attack led OPM boss Katherine Archuleta to resign

Hackers who breached US government networks stole far more fingerprint records than first thought, officials have said.

In a statement, the White House said more than 5.6 million fingerprint records were stolen from the Office of Personnel Management (OPM).

An initial investigation suggested only 1.1 million were lost.

The OPM acts as the personnel office for the US government and keeps records on 21.5 million federal staff.

Identity risk

The OPM attack was uncovered in April this year and saw attackers make off with ID and security clearance information about US government staff. Social security numbers, names, addresses, health, financial and biometric data were all taken.

Fingerprint records were also stolen and the continuing investigation into the breach has revealed that far more went missing than initially thought.

The OPM played down the significance of the fingerprint theft saying that the ability to abuse the data was "currently limited". However, it acknowledged that the risk could rise as technology improved and fingerprints were increasingly used as a guarantee of identity.

"An inter-agency working group with expertise in this area ... will review the potential ways adversaries could misuse fingerprint data now and in the future," it said in a statement.

The FBI, Pentagon and Department of Homeland Security are all part of the task force assessing how losing fingerprint data might affect victims.

The OPM said it would soon start a massive project to inform all the people whose data had been stolen.

Ken Munro from security firm Pen Test Partners said: "The biggest concern about biometrics since day one has been revocation.

"It is easy to get a new password, pin or credit card after a breach but it's rather harder to get new fingers."

The announcement about the scale of the hack comes as Chinese President Xi Jinping makes a state visit to the US. Security experts have pointed the finger at China as the source of the attack but it has always denied any involvement.

Mr Xi and President Obama are due to talk about cybersecurity when they meet later this week.