OPM data breach's big question: What's fingerprint data worth in future cyber attacks?
How much value will fingerprint data have in future cyberattacks?
That question looms large as the Office of Personnel Management said Wednesday that about 5.6 million fingerprints were stolen in its summer data breach, up from the 1.1 million estimate previously given.
In a statement, the Office of Personnel Management (OPM) said its investigation with the Department of Defense (DoD) found archived records with additional fingerprint data. These archives were tapped by hackers too.
The good news is that the federal agencies said "the ability to misuse fingerprint data is limited." However, fingerprints could be used as technology evolves. Federal agencies will create a working group to see how fingerprint data can be used by cyber attackers. This working group will include the FBI, Department of Homeland Security, DoD, and other members of the Intelligence Community.
Here's a key theme from the OPM statement. Federal agencies don't know how the fingerprint data could be used today, but if it was swiped there has to be some value to it. Years from now the stolen fingerprint data could be a good asset for a cybercriminal or another government. In other words, there's real value to fingerprint data, but it's not clear how much it's worth. Fingerprint data is an asset of some sort to cyber criminals.
Perhaps the real turning point from the OPM disclosure is that cybercriminals are thinking long term. Fingerprints don't have a lot of value today, but could be an asset in the future.
Simply put, the bad guys are thinking longer term than the good ones.
Tim Erlin, Tripwire's director of IT security and risk strategy, summed the fingerprint data issue up well.
One of the key challenges with biometric authentication is that it's immutable. You can't change your fingerprints, retinas or voice prints. When biometric credentials are compromised, it's very hard to recover. Using multi-factor authentication can provide mitigation in these cases. The best authentication, as the old adage goes, requires something you are, something you have and something you know.
While cybercriminals may not be positioned to leverage stolen biometrics now, that will change as these types of authentication are more widespread. Most iPhones can use a fingerprint for authentication these days, and criminals always look for the most profitable targets.
The working group examining the use of fingerprint data is likely to spend a lot of time pondering cyber warfare and what a nation-state could do with fingerprint data. That's a good place to start. However, this working group can't stop there---especially when your friendly neighborhood smartphone is carrying fingerprint data.
Previously: OPM's security clearance system is sort-of, kind-of online again