OPM Breach of Fingerprint Data Much Worse Than Thought

Just in time for Chinese President Xi Jinping’s arrival in Washington, U.S. government officials announced that the hack of the Office of Personnel Management first revealed in June was much bigger than expected. U.S. officials privately say Chinese agents are thought to have been responsible for the attack.

The OPM said Wednesday that the large-scale breach of its servers resulted in the theft of 5.6 million sets of fingerprints, rather than the 1.1 million previously thought to have been lifted. The OPM and the Department of Defense, carrying out the investigation into the hack, found “archived records containing additional fingerprint data not previously analyzed,” OPM Press Secretary Sam Schumach said in a statement.

OPM still estimates that the total number of individuals whose personal information was purloined from its servers stands at 21.5 million.

The data stolen from OPM’s servers, which included information used in carrying out background checks for individuals seeking security clearances, has been described as a counterintelligence bonanza for China. Fingerprint data collected in the course of background investigations for individuals being considered for sensitive, high-level positions, for example, could aid China in identifying U.S. government employees for intelligence purposes.

But OPM was quick to downplay the security implications of the upward revision in the number of compromised fingerprint data. “Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” Schumach said in his statement. “However, this probability could change over time as technology evolves.  Therefore, an interagency working group with expertise in this area – including the FBI, DHS, DOD, and other members of the intelligence community – will review the potential ways adversaries could misuse fingerprint data now and in the future.”

While U.S. officials have been dismayed at the breach of OPM’s servers, they are not expected to make that attack a central focus of their talks with Chinese counterparts this week. Director of National Intelligence James Clapper has said that the United States would have carried out the same operation against China, if it had the chance to do so. Clapper said earlier this month that the U.S. intelligence community has so far not detected any use of the OPM data against the United States. Acting OPM Director Beth Cobert has said her agency has so far not detected any use of the purloined data to carry out fraud.

Talks in Washington this week between President Barack Obama and his Chinese counterpart are expected to focus heavily on the theft of intellectual property from U.S. firms by Chinese hackers. U.S. officials have threatened the use of sanctions against Chinese firms who have benefited from commercial espionage if China refuses to curtail such activity.

The OPM update, whether meant as a deliberate signal to China or not, wasn’t the only unpleasant bit of news awaiting Xi’s arrival. The Pentagon said on Tuesday that Chinese fighter jets made an “unsafe” interception of a U.S. spy plane over the Yellow Sea on Sept. 15. Such encounters between U.S. and Chinese forces, whether aircraft or ships, have become another point of tension in the bilateral relationship — and yet another awkward item on the agenda for Obama’s and Xi’s talks Thursday.

FRANCK FIFE/AFP/Getty Images