OPM Breach Impacts 5.6M, Not 1.1M, Fingerprints
The Office of Personnel Management disclosed today that 5.6 million fingerprints, not 1.1 million, were stolen when the federal agency was breached in July.
At that time, 21.5 million individuals' Social Security numbers and other sensitive data was taken, reportedly by the Chinese government. But unlike credit cards and SSNs, fingerprints cannot be replaced once breached, an innate weakness of biometrics that has long concerned security experts.
"One of the features of a good credential is it is revocable. If your credit card gets compromised, it can be revoked. If your house or office keys get stolen, you can change the lock. There's a mechanism to revoke," said Jeff Schmidt, CEO of JAS Global Advisors, in an interview. "One thing people have always worried about with biometrics is they're not revocable."
Today, the government does not know of any uses for the stolen fingerprints but OPM admitted this could change.
"Therefore, an interagency working group with expertise in this area – including the FBI, DHS, DOD, and other members of the Intelligence Community – will review the potential ways adversaries could misuse fingerprint data now and in the future," wrote OPM Press Secretary Sam Schumach on the organization's website today. "This group will also seek to develop potential ways to prevent such misuse. If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach."
In addition to being irreplaceable if breached, fingerprints may not be security's silver bullet.
In late 2014, a member of the Chaos Computer Club reportedly cloned a German politician's thumbprint using commercial software and a photograph, the BBC reported. During this summer's Black Hat conference in Las Vegas, FireFly researchers demonstrated four ways to steal or circumvent fingerprint readers on Android phones, PCMag wrote.
For example, FireFly researchers announced that HTC stored data that hackers could use to duplicate a user's fingerprint as a "world readable" image file. HTC was aware of and fixed the problem, the vendor said.
By 2020, 100 percent of smart mobile devices will include embedded biometric sensors, according to Acuity Market Intellegence's June 2015 study, "The Global Biometrics and Mobility Report."
When OPM originally disclosed the breach, some former government officials expressed outrage and concern over the fingerprint theft.
"It's probably the biggest counterintelligence threat in my lifetime," said Jim Penrose, former chief of the Operational Discovery Center at the National Security Agency and now an executive vice president at cybersecurity firm Darktrace, told the National Journal in July. "There's no situation we’ve had like this before, the compromise of our fingerprints. And it doesn’t have any easy remedy or fix in the world of intelligence."
There is no simple cure, but enterprises should learn from this worsening crisis.
"The OPM breach starkly demonstrates that it is not just corporations who have challenges of protecting employee SSNs, healthcare records, and even fingerprints. No organization, public or private sector wants this type of publicity. The scale of this breach should be a wake up call for all CIOs," Kunal Rupani, principal product manager at Accellion told EnterpriseTech.
Biometric solutions can be inaccessible and organizations should have a workaround, whether that inaccessibility is due to an individual's physical condition or a technical problem, said Schmidt.
Organizations also should reconsider how much and what type of information needs storing and, of that data, what needs to be connected to the network, he said.
"With a bunch of the breaches lately, piling up mounds of data is as much a liability as it is an asset. Keeping lots and lots of data just because you can – storage is basically free now so people become data packrats – it's almost cheaper to keep it than figure out whether you need to delete it or move it to cold archive," said Schmidt. "A lot of companies we work with are physically removing hard drives and sticking them in a vault."