Five Million Sensitive Fingerprints Were Stolen. So What Happens Next?
The news was bad enough to begin with—the Office of Personnel Management (OPM) announced in early 2015 that the personal information of many Americans had been stolen in a major attack by hackers. The OPM, an official government agency, has the role of "recruiting, retaining and honoring a world-class force to serve the American people."
Incredibly—and ironically—the information that was stolen was primarily sensitive information on U.S. citizens who were applying for background checks and security clearances. Shortly after the hack, the OPM announced that one million sets of fingerprints had been stolen in the breach. (A breach is a hack attack that results in data being compromised or taken.)
Six months later (September 2015), the OPM announced that a deeper review of the hack turned up more information:
- A review by the OPM and the Defense Department revealed that the number of fingerprints that had been stolen was actually 5.6 million.
- It was estimated that 21.5 million people had been affected by the cyber attack.
- In addition to fingerprints, Social Security numbers and other personal information had been stolen.
Unfortunately for those affected, the news updates didn't offer much consolation. The OPM's report was very matter of fact and sounded almost routine:
"The subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million. This does not increase the overall estimate of the 21.5 million individuals impacted by the incident. An interagency team will continue to analyze and refine the data as it prepares to mail notification letters to impacted individuals."
By the way, it's still not clear who orchestrated the hack on the OPM. One website that discussed "12 Things You Should Know About the OPM Breach" didn't even address the question. (Still, it's been assumed that a foreign government, perhaps China, was behind the hack.)
Are you feeling a little nervous?
It is a little unnerving to hear that the number of fingerprints was five times higher than the original number given. Why was the initial low number even reported? Was that done to:
- Calm or reassure those affected (and everyone in the country)?
- Minimize the failure of the OPM's security measures?
- Minimize the true success of the hack?
- Get government officials off the hook?
One senator criticized the news and expressed some ideas that many people likely share. He said there was still no reason to believe that the full story has come out and he wondered if Washington believed and hoped that the whole problem would just disappear over time. (In face, then-OPM head Katherine Archuleta resigned following the revelation of the cyber attack.)
His point seems to be well taken, because the fingerprint update wasn't the first time the OPM had revealed that there was more damage done than initially thought.
Upon further review...
At first, the OPM said that the hackers had stolen the data of 4.2 million people in the initial hack. But a few months later, they revealed that hackers had stolen more than 21.5 million Social Security numbers (and other information) in a second hack.
Are you sleeping better?
Obviously, the OPM takes the hacks seriously—so what steps did they take in the wake of perhaps the greatest security breach in U.S. history?
- In October 2015, the OPM announced, as they had done earlier, that anyone who had been affected by the breach was eligible for fraud protection and identity theft services at no charge.
- They also tried to assure the public, as best as they could, that their worst fears had not been realized. They also put out a statement: "Federal experts believe that, as of now, the ability to misuse fingerprint data is limited." However, they also had to admit that the situation could change at any time.
Finally, the OPM announced that the government would go to great lengths to limit the damage. In an official statement, they said:
"An interagency working group with expertise in this area—including the FBI, DHS, DOD, and other members of the Intelligence Community—will review the potential ways adversaries could misuse fingerprint data now and in the future."
However, an article in The Wall Street Journal in October 2015 reported that the measures organizations take after a hack are not effective at limiting the damage that may have already been done...even if it has not been discovered yet. The article also implied that focusing so much attention on notifying victims is a misdirected effort.
And yet, all companies are required to comply with specific state laws about notifying victims of a hack and/or a data breach. But the feeling is that more time and energy should be spent on preventing hacks and limiting their damage instead of notifying victims.
Jeff Kosseff, an assistant professor of cybersecurity law at the U.S. Naval Academy and the author of the WSJ article, says offering bandages, such as free credit-reporting services, is a case of too little too late.
"We need to modernize our cybersecurity laws to minimize the frequency of and harm of breaches," Kosseff advises.
Sources: The Associated Press; foxnews.com (9/9/2015); and The Wall Street Journal (10/9/15)