It turns out roughly 5.6 million federal employees may have had their fingerprints stolen as part of this year’s mammoth Office of Personnel Management breach – a figure five times what the agency initially announced in June.
OPM press secretary Sam Schumach broke the bad news Wednesday morning, but insisted that the previously announced number of those impacted by the hack overall – 21.5 million government workers – remains the same.
In addition to millions of fingerprints, the OPM hack is also believed to have leaked information such as workers’ Social Security numbers, dates of birth, employee performance records, employment history, employment benefits, resumes, school transcripts, along with military service documentation, and findings from interviews conducted by background investigators.
To assuage former and current government employees who may have had their fingerprints stolen, OPM is insisting that it doesn’t believe hackers will misuse the data – yet.
“Federal experts believe that, as of now, the ability to misuse fingerprint data is limited. However, this probability could change over time as technology evolves,” Schumach wrote.
To look into potential attack scenarios further, OPM claims a collaborative group, including members of the FBI, DHS, and DOD, will tackle “ways to prevent such misuse.”
In related, perhaps equally alarming news, the agency clarified Wednesday that it still hasn’t begun mailing notification letters to those affected by the hack.
OPM said at the beginning of September that it would begin sending letters to victims of the breach “in a few weeks,” yet the agency’s recent statement reiterates that an interagency team is still working in tandem with the Department of Defense to prep the letters.
“An interagency team will continue to analyze and refine the data as it prepares to mail notification letters to impacted individuals,” Schumach wrote.
According to a forecast from technology research firm Gartner today, companies worldwide will spend $75.4 billion on security this year. OPM announced earlier this month that it will spend at least $150 million of that figure as it attempts to provide victims of the attack with credit monitoring, insurance, and other services over the next three years.