Spooks at risk as US government admits theft of 5.6 million fingerprints

Loss of fingerprint data at Office of Personnel Management could compromise security agents working in the field

The US government has admitted that 5.6 million fingerprints of government employees were stolen in the massive cyber-security breach at the Office of Personnel Management (OPM) - potentially putting the lives of US security agents in the field at risk.

The admission was made as the OPM and US Department of Defense continue their investigation in what may be one of the biggest-ever cyber-attacks. However, OPM press secretary Sam Schumach insisted that the overall number of US government workers affected by the breach remains the same - 21.5 million people.

Schumach went on to argue that the impact of the loss of fingerprint data would be minimal. "Federal experts believe that, as of now, the ability to misuse fingerprint data is limited. However, this probability could change over time as technology evolves," Schumach wrote.

Schumach revealed that an inter-agency working group, including experts from the FBI, Department of Homeland Security and Department of Defense "will review the potential ways adversaries could misuse fingerprint data now and in the future".

Indeed, given the admission that the details of staff involved in high-security work was also cracked, the loss of fingerprint data could end-up compromising security service staff working in the field.

The attack on the OPM was revealed in June 2015. A long-running breach, it is believed to have started in March 2014, and only picked up in April 2014. Some 21.5 million records of US government employees are believed to have been stolen, including people who have undergone extensive background checks for sensitive work.

The sensitive information that the attackers were able to steal includes social security numbers, names, dates, places of birth and people's addresses - everything an attacker might need to conduct identify theft.

It comes ahead of a diplomatic visit by Chinese President Xi Jinping, while US officials suspect that Chinese government hackers were responsible for the attack. Carl Wright, general manager of security services company TrapX, suggested that organisations need to take a different approach to security.

"The internal virtual LANS and servers at OPM were substantially compromised and the forensics data has not helped OPM quickly enough," said Wright. "The original cyber strategy at the Office of Personnel Management was primarily focused on protecting the perimeter. Today, CISOs are starting to assume that their networks will be breached regularly, and that they must define a strategy for detecting them early and then defending against the attack."