THE US OFFICE OF PERSONNEL MANAGEMENT (OPM) has admitted that the major security breach it suffered earlier this year is far worse than first thought.
The agency, which handles government security clearances and records for federal employees, admitted on Wednesday that the breach actually saw the fingerprint records of at least 5.6 million federal employees compromised, not the 1.1 million as previously thought.
OPM, along with the Department of Defense, spent a chunk of the past year notifying millions of current and former government employees affected by the attack. During this process, OPM said in a statement, the agencies "identified archived records containing additional fingerprint data not previously analysed", which increased the estimated number of people who had fingerprint data stolen.
Those affected by the hack include staff at the FBI, Department of Homeland Security and the Pentagon.
However, the OPM downplayed the threat posed by the stolen fingerprint records, saying the ability to misuse the data is currently limited. But it acknowledged the danger could increase over time as technology evolves.
"Therefore, an interagency working group with expertise in this area [...] will review the potential ways adversaries could misuse fingerprint data now and in the future," the agency said.
"If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach."
Security firm Accellion's MD of EMEA, Keith Poyser, said this latest "surprising" revelation would further damage trust in the OPM.
"The initial approach should have focused on being as open and honest as possible to [the OPM's] customers," he said. "If you have a brand to protect, clients usually prefer honesty, and this can preserve trust and goodwill. In this instance, an open and transparent governance programme would go some way to limit the damage and protect the victims of the attack."
The "massive" cyber attack on the OPM took place in June, putting the personal data of four million current American federal employees at risk. This breach marked the second time the agency had been hacked in the past 12 months. µ
But don't expect laptop prices
Vulnerability targets hardware created by Infineon Technologies
Expect something commercial in 2019
Ex-employees say bugs were stolen and used in future attacks