It took weeks before the Office of Personnel Management (OPM) admitted that almost 22-million federal employee personnel and security records had been cracked in two separate attacks. Months later, the OPM and Department of Defense (DoD) confessed that "Of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million."
The OPM excuse for this delay was that the OPN and DoD had been been "analyzing impacted data to verify its quality and completeness." While the overall estimate of 21.5 million individuals records being revealed has not increased, this puts the privacy of 25 percent of these employees into even more danger. The government promises that "an interagency team will continue to analyze and refine the data as it prepares to mail notification letters to impacted individuals."
The government experts believe that, "as of now, the ability to misuse fingerprint data is limited."
That simply isn't true.
The OPM continued: "This probability could change over time as technology evolves. Therefore, an interagency working group with expertise in this area - including the FBI, DHS, DOD, and other members of the Intelligence Community - will review the potential ways adversaries could misuse fingerprint data now and in the future."
Funny, I see fake fingerprints used all the time in movies and TV shows to break physical security. This isn't just fiction. It's reality.
Fingerprint faking is simple and can be used every day. For example, Marc Rogers, CloudFlare's Principal Security Researcher, while at Lookout, the mobile security company demonstrated how easy it was to crack Apple's TouchID on both the iPhone 5s and 6. With the real fingerprints, hacking fingerprint security becomes trivial.
The government promises that the interagency working group will seek to develop potential ways to prevent such misuse." Good luck with that.
The feds also re-promise that "all individuals impacted by this intrusion and their minor dependent children (as of July 1, 2015) are eligible for identify theft and fraud protection services, at no cost to them.. The OPM and DoD admit, however, that they have yet to begin mailing notifications to affected individuals.
As I've said before, and I'll say again, I don't blame the OPM and DoD for this continuing security and privacy fiasco so much as I do a Congress that refuses to pay to truly reform a fundamentally impoverished and dysfunctional personell security system.