5.6 million fingerprints hacked: Cyber attack on US Office of Personnel Management 5 times worse than previously thought

One of the scariest parts of the massive cybersecurity breaches at the Office of Personnel Management just got worse: The agency now says 5.6 million people’s fingerprints were stolen as part of the hacks.

That’s more than five times the 1.1 million government officials estimated when the cyberattacks were initially disclosed over the summer.

However, OPM said Wednesday the total number of those believed to be caught up in the breaches, which included the theft of the Social Security numbers and addresses of more than 21 million former and current government employees, remains the same.

OPM and the Department of Defence were reviewing the theft of background investigation records when they identified additional fingerprint data that had been exposed, OPM said in a statement. 

Breaches involving biometric data like fingerprints are particularly concerning to privacy experts because of their permanence: Unlike passwords and even Social Security numbers, fingerprints cannot be changed. So those affected by this breach may find themselves grappling with the fallout for years.

"The fact that the number [of fingerprints breached] just increased by a factor of five is pretty mind-boggling," said Joseph Lorenzo Hall, the chief technologist at the centre for Democracy & Technology.