In Major Humiliation, Government Admits Nearly 6 Million Fingerprints Were Stolen In OPM Hack
What began with an alleged attempt by Kim Jong-un to sabotage Seth Rogen and James Franco for plotting to assassinate his likeness on film, and what reached peak absurdity when Penn State claimed that Chinese hacker spies had taken control of the university’s engineering department, culminated with what’s been variously described as “the largest theft of US government data ever” and an attack “so vast in scope and ambition that the usual practices for dealing with traditional espionage cases [do] not apply.”
Those rather dramatic sounding characterizations refer of course to the alleged breach of the Office of Personnel Management by Chinese hackers.
That attack compromised some 22 million government employees. For its part, Beijing initially called the accusations that the attack emanated from China “irresponsible” and “groundless.”
Amusingly, the counter-hacking system that is supposed to prevent things like this from happening is called “Einstein” and by the US government’s own admission, it’s already obsolete. Unfortunately, Congress’ now famous inability to do what they were elected to do (i.e. legislate) has left the USunable to pass a cyber security initiative that would help the US better protect itself against attacks like that which occurred on the OPM.
In any event, cyber security was back in the spotlight (actually it never really left) last week when the US decided that slapping Chinese entities with sanctions for their alleged role in hundreds of cyber attacks on the US over the course of the last half decade was probably a bad idea ahead of a visit by Chinese President Xi Jinping, who some analysts predicted simply would not make the trip if Washington was unwilling to do Beijing the courtesy of waiting until Xi was back in China before handing down sanctions.
But while the Obama administration did indeed relent on the timing of the cyber sanctions, new revelations regarding the theft of “biometric ID authentication markers” (a.k.a fingerprints) look set to make Xi’s visit a bit more uncomfortable than it otherwise would have been, especially in light of comments he made in a speech in Seattle. Here’s Wired with more:
When hackers steal your password, you change it. When hackers steal your fingerprints, they’ve got an unchangeable credential that lets them spoof your identity for life. When they steal 5.6 million of those irrevocable biometric identifiers from U.S. federal employees—many with secret clearances—well, that’s very bad.
On Wednesday, the Office of Personnel Management admitted that the number of federal employees’ fingerprints compromised in the massive breach of its servers revealed over the summer has grown from 1.1 million to 5.6 million. OPM, which serves as a sort of human resources department for the federal government, didn’t respond to WIRED’s request for comment on who exactly those fingerprints belong to within the federal government. But OPM had previously confirmed that the data of 21.5 million federal employees was potentially compromised by the hack—which likely originated in China—and that those victims included intelligence and military employees with security clearances.
The revelation comes at a particularly ironic time: During the U.S. visit of Chinese president Xi Jinping, who said at a public appearance in Seattle that the Chinese government doesn’t condone hacking of U.S. targets, and pledged to partner with the U.S. to curb cybercrime.
“As part of the government’s ongoing work to notify individuals affected by the theft of background investigation records, the Office of Personnel Management and the Department of Defense have been analyzing impacted data to verify its quality and completeness,” reads OPM’s statement posted to its website. “During that process, OPM and [the Department of Defense] identified archived records containing additional fingerprint data not previously analyzed. Of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million.”
And while the government was of course in full damage control mode, swearing that “as of now, the ability to misuse fingerprint data is limited,” they better be right, because as Wired goes on to note,“the national security implications of having the fingerprints of high-level federal officials in the hands of hackers who are potentially employed by a foreign government” are far from clear.
Now all of that assumes that a state actor is indeed behind the attack and frankly, assuming that to be true is to accept the narrative that China, Iran, and Russia have now formed a kind of cyber “Axis of Evil” and that narrative plays right into the hands of policymakers who are desperate to perpetuate the existing juxtaposition of world powers.
What comes next we can’t say but one thing seems abundantly clear: regardless of who’s doing the hacking, the US government is completing inept when it comes to stopping it and on that note, we close with the following from Senator Ben Sasse:
“The American people have no reason to believe that they’ve heard the full story and every reason to believe that Washington assumes they are too stupid or preoccupied to care about cyber security.”