National Security

Feds acknowledge more than 5M fingerprints stolen in breach, far more than thought

Kevin Corke reports


The number of people whose fingerprints were stolen in a historic breach of federal files has skyrocketed -- from just over 1 million to an estimated 5.6 million, according to the federal agency that was hacked. 

The Office of Personnel Management acknowledged Wednesday that the number of fingerprints stolen is far greater than initially thought. 

The information was part of an array of sensitive files, including Social Security numbers, swiped in a hack estimated to have affected 21.5 million people total -- including people who applied for security clearances and their families. 

In a statement, OPM said the agency, together with the Defense Department, discovered during their review that more fingerprints were taken. 

"The subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million," OPM said Wednesday. "This does not increase the overall estimate of 21.5 million individuals impacted by the incident. An interagency team will continue to analyze and refine the data as it prepares to mail notification letters to impacted individuals." 

OPM issued the statement just as Pope Francis was beginning his visit to Washington, and speaking at the White House. Republican Nebraska Sen. Ben Sasse suggested the administration was trying to slip in the development. 

"Today's blatant news dump is the clearest sign yet that the administration still acts like the OPM hack is a PR crisis instead of a national security threat," he said in a statement. "The American people have no reason to believe that they've heard the full story and every reason to believe that Washington assumes they are too stupid or preoccupied to care about cyber security." 

The revelations also come as Chinese President Xi Jinping, whose country has been implicated by some in the breach but not formally blamed, prepares to visit Washington as part of his state visit. 

President Obama has said that cybersecurity issues will be addressed during their meetings. 

On Wednesday, OPM reiterated that anyone affected by the breach is eligible for identity theft and fraud protection services, "at no cost to them." 

OPM said "federal experts believe that, as of now, the ability to misuse fingerprint data is limited." OPM acknowledged this could change "as technology evolves." 

"Therefore, an interagency working group with expertise in this area -- including the FBI, DHS, DOD, and other members of the Intelligence Community -- will review the potential ways adversaries could misuse fingerprint data now and in the future," OPM said. 

This is not the first time the government has acknowledged the breach was broader than initially thought. 

In July, the administration disclosed that in addition to 4.2 million people whose records were stolen in an initial hack first revealed earlier this year, more than 21.5 million had their Social Security numbers and other sensitive information stolen in a second hack, believed to be the biggest in U.S. history. 

Then-OPM head Katherine Archuleta resigned following the revelation. 

The Associated Press contributed to this report.