Hackers made off with a lot more than just names, home addresses, and social security numbers when they stole more than 20 million records from the US government earlier this year.
In a statement Wednesday, US officials said that some 5.6 million fingerprints were also included in the massive April breach that affected the Defense Department's Office of Personnel Management. The OPM had previously reported that only 1.1 million fingerprints were stolen.
The OPM discovered in June that some 19.7 million individuals who had applied for a background check had their Social Security number stolen along with their full name and home address.
An additional 1.8 million people who did not apply for a job, but were related to someone subjected to a background check — primarily as that person's spouse or co-habitant — also had their Social Security number stolen. In total, the security breach affected some 21.5 million individuals.
The new revelation that so many fingerprints were included is unnerving to say the least. Fingerprints and other biometric data have widely been considered the best way to secure personal data because of that simple fact — if it's unique only to us, then we are protected.
While you can apply for a new social security number or change your password, there really isn't anything you can do for a stolen fingerprint. Once it's stolen, it's out there forever.
"Depending on whose hands the fingerprints come into, they could be used for criminal or counterintelligence purposes. For instance, they could be trafficked on the black market for profit or used to reveal the true identities of undercover officials," the June press release about the hack reads. "Also a concern is that biometric data such as fingerprints cannot be reissued—unlike other identifying information such as Social Security numbers. This could make recovery from the breach more challenging for some."
The latest press release from the OPM, however, tries to downplay any impact the stolen biometric data may have.
"Federal experts believe that, as of now, the ability to misuse fingerprint data is limited. However, this probability could change over time as technology evolves," the press release says. "If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach."
Regardless of whether the information is used in a nefarious manner or not, the breach highlights the problems in using biometric data to secure our personal information and validate our identity.
If hackers can get a hold of your fingerprint on the blackmarket the same way they can get access to other personal data like social security numbers, then nothing protected by your biometric information is safe.
