The hackers who stole millions of federal personnel files also took 1.1 million fingerprints, a theft that poses an unprecedented danger.
This is extremely sensitive information, especially as we increasingly use biometric scanners on phones and computers.
This could be one of the potentially worst parts of the Office of Personnel Management hack affecting 21.5 million people. Whoever has this information — U.S. intelligence thinks it’s likely China — could use the stolen fingerprints to better spy on America.
“It’s across federal agencies. It’s everybody,” an OPM spokesman told CNNMoney on Friday.
In a Mission Impossible-type scenario, the thieves could create physical copies using latex or similar materials, then break into the fingerprint-locked devices of U.S. diplomats and government agents. This would expose secret conversations, disrupt investigations or poison international negotiations.
And potentially worse, these stolen records could unmask undercover investigators masquerading as other people.
“They’re completely compromised,” said biometrics expert Ramesh Kesanupalli. “A secret agent’s name might be different. But they’ll know who you are because your fingerprint is there. You’ll be outed immediately.”
Kesanupalli has given fingerprints a lot of thought. He created something called the FIDO protocol, a safe way to use the human body to unlock devices. And now he wonders if this collection of 1.1 million stolen fingerprints will end up on the black market. It would create a brand new type of trafficked stolen good: biometrics.
That’s worse than exposed Social Security numbers. Those can be replaced.
“It’s not like they have someone’s password. Fingerprints are data that doesn’t change. They’ll never change. Twenty years from now, this will still be useful,” said Robert M. Lee, co-founder of cybersecurity software maker Dragos Security.
Cybersecurity experts are trying to make fingerprints even harder to duplicate.
Karl Weintz, who leads the biometrics company Sonavation, said his firm is creating a biometric fingerprint that uses ultrasound to scan 5 millimeters deep, mapping bone structure, blood vessels, and even nerve endings.
At this point, it’s difficult to determine how detailed and exact the stolen records are. Some federal agencies use classic ink-on-paper, while others use high-resolution digital scans. OPM couldn’t immediately determine how all 1.1 million records were stored, but the stolen batch does include fingerprint records going to back to 2000, when ink images were regularly used.
“They have the most secure keys for people who are interesting enough for OPM to get fingerprints of,” said Jonathan Sander, an executive at cybersecurity firm STEALTHbits. “What locks can these guys open? That’s the question.”