I haven’t written about the OPM hacking incident, basically because it’s not an area I’m that familiar with and I also wanted to wait for some of the initial (and in some cases politically motivated) hysteria to boil off. But an article today from Dustin Volz at National Journal certainly caught my attention.
The Office of Personnel Management announced last week that the personal data for 21.5 million people had been stolen. But for national security professionals and cybersecurity experts, the more troubling issue is the theft of 1.1 million fingerprints.
Much of their concern rests with the permanent nature of fingerprints and the uncertainty about just how the hackers intend to use them. Unlike a Social Security number, address, or password, fingerprints cannot be changed—once they are hacked, they’re hacked for good. And government officials have less understanding about what adversaries could do or want to do with fingerprints, a knowledge gap that undergirds just how frightening many view the mass lifting of them from OPM.
Volz goes on to note that use of fingerprint scans in various settings for security purposes is a practice expected to rapidly expand in the near future. So the hack may have been part of a more comprehensive effort to outflank not just present but future security systems. And whereas the U.S. could shift to another form of biometric identification, it does not obviate the fact that the fingerprints will always be usable to identify their bearers. There’s a small silver lining, but not much of one:
The fingerprints of most covert CIA spies working for the government are likely not affected, because the spy agency manages it own records apart from OPM. But the records for nearly every other executive agency, from the NSA to the FBI and anything housed under the Department of Defense, were laid bare during the hack. And some CIA agents who have previously worked elsewhere in government where they were required to submit a security-clearance form to OPM are also vulnerable.
It will take quite an effort just to assess who is at risk from this aspect of the hack. But beyond that, it’s unsettling to realize this is data that cannot be changed like a password or an account number.