The Office of Personnel Management (OPM) amended its initial claim in July that 1.1 million fingerprint records...
were stolen, now admitting hackers retrieved more than five times that amount.
In a statement released Wednesday, OPM Press Secretary Sam Schumach said that during the OPM and Department of Defense's ongoing investigation, it found approximately 5.6 million individuals' fingerprint records were stolen. The agency said, however, that this increase does not affect the total number of individuals involved in the data breach, which still stands at 21.5 million.
The previously unaccounted fingerprint records were found in an archive and had not been analyzed initially, Schumach said.
The OPM has largely downplayed the severity of risk involved with stolen fingerprints, saying "Federal experts believe that, as of now, the ability to misuse fingerprint data is limited."
However, many across the information security industry don't necessarily agree. Fingerprint data -- unlike passwords and credit card numbers -- cannot be changed, making the theft a much more serious security and privacy threat.
"The stolen information now includes data that could be used to defeat some simple biometric systems," Jean Taggart, senior security researcher at Malwarebytes in San Jose, Calif., said in an email statement. "This has been confirmed as possible and has been demonstrated."
"This issue illustrates one of the core problems with biometric identification. If an attacker has your fingerprints, what do you do? You can't really change your fingers," Taggart said.
"Biometrics, like fingerprints, are the passwords of the future, and the staggering 5.6 million people of interest who have had their future passwords stolen from OPM are exposed to potential threats no one really understands," said Jonathan Sander, vice president of product strategy at Lieberman Software Corp., based in Los Angeles. "In theory, these fingerprints stolen from OPM shouldn't be able to do much harm right now. But who knows what shortcuts may exist in future applications that will allow a mere shadow of a print, like the data OPM had, to become the way some future breach is pulled off."
Igor Baikalov, chief scientist at Los Angeles-based Securonix Inc., said scanning fingerprints for biometric authentication isn't always 100% accurate. "Contrary to a popular belief, fingerprints are not unique, and out of 5.6 million fingerprints compromised, there can be quite a few people who have fingerprints similar enough to be accepted by the biometric authentication system," he said.
"One of the key challenges with biometric authentication is that it's immutable," said Tim Erlin, director of IT security and risk strategy at Tripwire Inc., based in Portland, Ore. "You can't change your fingerprints, retinas or voice prints. When biometric credentials are compromised, it's very hard to recover … While cybercriminals may not be positioned to leverage stolen biometrics now, that will change, as these types of authentication are more widespread."
Expert Graham Cluley noted that fingerprints should not be considered passwords. "You leave your fingerprints lying around all over the place every day -- a fact that hackers attempting to breach biometric authentication systems have taken advantage of in the past," Cluley said.
Tammy Moskites, CIO and CISO of Salt Lake City-based Venafi Inc., said, "Having biometrics stolen is terrifying for two major reasons. One, there could be a brand new type of stolen goods being trafficked on the black market: biometrics. Two, those whose biometrics were stolen will have to deal with losing their identity for the rest of their lives. It is still unclear what the hackers plan to do with the biometric data they have stolen, but already impersonators are on the black market selling fake OPM-breached fingerprints."
"This could open up a Pandora's Box for those impacted by the breach," Moskites continued. "Your fingerprints, along with other biometric data, are exposed and easy for the taking … Keeping your biometric data secure is a serious security concern that hasn't been addressed much -- at least not to date."
The OPM did admit that the ability of hackers to use fingerprint data is "likely to change over time as technology evolves."
According to the OPM statement, an interagency group will "review the potential ways adversaries could misuse fingerprint data now and in the future. This group will also seek to develop potential ways to prevent such misuse. If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach."
The agency will also continue to review the breached data to "enhance its quality and completeness," as well as "monitor for any misuse."
A first OPM breach reported in June affected 4 million victims, all of whom have been notified. A second breach reported in July found 21.5 million personal records, including Social Security numbers and health records were stolen, as well as the original 1.1 approximated fingerprint records. At that same time, Chinese hackers emerged as the main suspect involved in the breach, though China denies any involvement and the U.S. has yet to make a formal accusation.
In the most recent OPM statement, Schumach reiterated that the OPM is offering free identity protection services to those affected. An interagency team is preparing to mail notification letters to the victims.
In other news
- Zero-day acquisition company Zerodium announced Monday it would give a $1 million bounty to the individual or team that submits an "exclusive, browser-based and untethered jailbreak for the latest Apple iOS 9" that allows a "remote privileged and persistent installation of an arbitrary app on a fully updated device." The company, which says it will pay out a total of $3 million in rewards, has a few stipulations, however. The attack must be "unknown, unpublished and unreported," work on a range of devices -- including iPhones, iPad Airs and iPad Minis -- and needs to be able to bypass iOS security controls, including ASLR, sandboxes and bootchain. In addition, the initial vector must be able to be completed through a webpage targeting the mobile browser or an application reachable through the browser, or through text/multimedia file delivered through SMS or MMS. "Apple's iOS is currently the most secure mobile OS," Zerodium's website reads." But don't be fooled, secure does not mean unbreakable." Zerodium will analyze and document all the research it receives and share it with its customers, including "major corporations in defense, technology and finance … as well as government organizations in need of specific and tailored cybersecurity capabilities." The contest ends on Oct. 31, or when the $3 million payout is made.
- The chief information security officer of the Department of Homeland security is looking for harsher punishment for those who fall victim to phishing scams, according to a Defense One report. During a panel discussion on government CISO priorities at the Billington Cybersecurity Summit in Washington, D.C., last week, DHS CISO Paul Beckman said he tests his employees using his own phishing emails, ones that would look "blatant" to any security practitioner. If an employee falls for the phishing scheme, he must attend online security awareness training. However, Beckman said many have failed the test up to two or three times, and this is worrisome. "There are no repercussions to bad behavior," he said. "There's no punitive damage, so to speak. There's really nothing to incentivize these people to be aware, to be diligent." Beckman thinks repercussions are needed -- up to and including revoked security clearances. "Someone who fails every single phishing campaign in the world should not be holding a [top secret, sensitive compartmentalized information clearance] with the federal government," Beckman said. "You have clearly demonstrated that you are not responsible enough to responsibly handle that information." SANS Institute Director John Pescatore agreed. "Assuming reasonable efforts have been made to reduce the amount of spam and obvious phishing that reaches the end user -- and that some level of user education has been done -- there should be consequences for repeat offenders," Pescatore said. "Losing Internet access might be a better first step for some, but yanking access to classified systems is not a bad idea." Beckman is reportedly speaking with the DHS chief security officer about his plans for phishing punishments.
- The 15-year-old Safe Harbor agreement between the United States and Europe has been called into question following the release of an opinion by European Court of Justice (ECJ) Advocate General Yves Bot. Safe Harbor -- which allows U.S.-based companies to transfer customer data from Europe across the Atlantic -- was deemed invalid by Bot in his opinion on the case of Maximillian Schrems vs. Data Protection Commissioner. Austrian law student Schrems filed a complaint, claiming Safe Harbor did not adequately protect his Facebook data that was stored in the U.S. and subject to government surveillance practices. While the Irish Data Protection Authority rejected Schrems' claim, he appealed and the case is now with the ECJ. In his opinion, Bot wrote, "A number of revelations have recently brought to light the existence of large-scale information-gathering programs in the United States. Those revelations have given rise to serious concerns as to whether the requirements of EU law are observed when personal data is transferred to undertakings established in the United States and about the weaknesses of the Safe Harbor scheme." The Safe Harbor agreement, signed in 2000, stipulates that companies meet several data protection conditions. While the ECJ has not accepted Bot's opinion nor invalidated Safe Harbor, the Court generally follows his advice. An overturning of Safe Harbor could have major implications for large and small business that do business with European-based companies and individuals. If Safe Harbor is in fact invalidated and an agreement is not reached between the U.S. and EU, companies may be forced to create European-only databases or pursue other alternatives, which could be costly. Businesses dependent on Safe Harbor are urged to review data transfers immediately.