With the admission Wednesday that the fingerprints of 4 million more current and formal federal employees were stolen during the OPM data breach, cybersecurity and information experts said this revelation is both cause for worry but also an opportunity for improvement.
Office of Personnel management Press Secretary Sam Schumach said in a Sept. 23 statement that the number of people whose fingerprints had been stolen rose from 1.1 million to roughly 5.6 million. That increase does not, however, hike up the overall estimate of cyber victims, which currently stands at 21.5 million.
“Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” Schumach said in the statement.” However, this probability could change over time as technology evolves. “Therefore, an interagency working group with expertise in this area — including the FBI, DHS, DOD, and other members of the Intelligence Community — will review the potential ways adversaries could misuse fingerprint data now and in the future. This group will also seek to develop potential ways to prevent such misuse. If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach.”
The additional discovery was made during a background investigation of records, the statement said, as the embattled agency works to notify victims of the information hack and provide personal identity protection.
The practice of using fingerprints is not new, said Deborah Golden, federal cyber risk services leader for Deloitte, but as hackers become more savvy, the need for more secure forms of identification should be considered.
Fingerprints are used for criminal records, banking, even access to personal cell phones, Golden said, and the federal government “has been leveraging fingerprinting for forever as part of the background process.”
“It’s interesting that people and companies, agencies, organizations, are looking at fingerprints as a means of biometrics being more secure in that environment,” Golden said. “People may think that a fingerprint or retinal scan is more secure, but people need to think about the vulnerabilities that come with storing that type of information.”
While a username and password can be reset over and over again, “you can’t change somebody’s fingerprints,” Golden said. “Once a fingerprint has been compromised, it’s been compromised.”
Those fingerprints could be used for anything from counterintelligence to terrorism to blackmail.
Golden said that’s why multifactor authentication is a popular security alternative, such as CAC or PIV cards, or “some other physical asset used to justify that access, in addition to the user identification and password.”
Tim Erlin, director of Tripwire’s IT Security and Risk Strategy, echoed the importance of multifactor authentication.
“You can’t change your fingerprints, retinas or voice prints,” Erlin said in a statement. “When biometric credentials are compromised, it’s very hard to recover. Using multifactor authentication can provide mitigation in these cases. The best authentication, as the old adage goes, requires something you are, something you have and something you know.”
But David Parker, director of the Center for the Study of Fraud and Corruption at Saint Xavier University, said while the fingerprint theft should not be taken lightly, it also likely won’t have as broad or as serious an impact as some of the other information stolen during the breach.
“It’s more a counter-intelligence issue than commercial espionage,” Parker said. “Odds are you’re not going to see a lot of this information on the black market.”
What’s also important to remember, Parker said, is that this form of theft isn’t unique.
“Pretty much every government does it,” Parker said. “If anything, some of the people in the intelligence community are nodding their heads saying this is a pretty good job, I wish we could do it.”
As for what could be done with the fingerprints, Parker said “not a whole lot, really.”
Security clearance issues are an obvious concern, Parker said, but “that depends on the individual.”
In those cases, Parker said a flag could be placed on the employee’s account showing there had been a theft of information, or perhaps require the person provide a different type of identification such as a retinal print.
“Transparency is the big issue here,” Parker said. “It’s a black eye. For the most part for the average person it’s not going to turn out to be any major threat. What’s much more damaging … is the personal information rather than the biometrics. The date of birth, social security number, that type of information is much more readily usable.”