14

The recent OPM hack has revealed more fingerprints were stolen than previously believed.

One of the scariest parts of the massive cybersecurity breaches at the Office of Personnel Management just got worse: The agency now says 5.6 million people's fingerprints were stolen as part of the hacks.

What, exactly was stolen as part of this hack, and what are the potential implications of this data?

With access to this leaked data, can a person whose data has been leaked be identified based on a latent fingerprint? Can a fingerprint be fully or partially reconstructed from the data? Can the data lead to replicating someones fingerprints, and then accessing resources protected with fingerprint data?

Steve Sether
  • 21,480
  • 8
  • 50
  • 76
  • On a similar subject http://security.stackexchange.com/questions/96550/how-to-store-encrypt-fingerprint – Gudradain Sep 23 '15 at 17:54
  • Potentially yes on all those. I have yet to see anybody test the raw data to see how detailed it is and thus what it is capable of, but if the prints are in high resolution it is really bad. Any fingerprint auth would be busted, essentially, for all those people. – Natanael Sep 24 '15 at 17:10
  • @Natanael Was this all publicly leaked and widely available on torrent sites, or just available for sale to criminals on darknet websites? – Steve Sether Sep 24 '15 at 17:23
  • @SteveSether haven't figured out if anything is public yet. Maybe I just don't know where to look, though – Natanael Sep 24 '15 at 17:24

1 Answers1

9

This is what FiveThirtyEight.com has to say:

What To Do With A Million Stolen Fingerprints Hint: Think bigger than iPhones.

[Fingerprints] could be used to sniff out individuals operating in a foreign country under false identities.

Imagine that you, an American spy, travel to Hackistan ostensibly to work as the ambassador’s dog walker. The Hackistani government grabs your fingerprints when you arrive in the country. But now, after their successful hack, they can check yours against the prints in the stolen OPM database.

They find that your prints are a partial match with the prints of a contractor who worked for the U.S. Department of Defense a decade ago. Uh oh.

For national and cybersecurity experts, the thought of fingerprints in particular falling into the wrong hands is especially frightening. As National Journal wrote:

Much of their con­cern rests with the per­man­ent nature of fin­ger­prints and the un­cer­tainty about just how the hack­ers in­tend to use them. Un­like a So­cial Se­cur­ity num­ber, ad­dress, or pass­word, fin­ger­prints can­not be changed—once they are hacked, they’re hacked for good.

Earlier this month, the Defense Department awarded a $133 million contract to an identity-theft-protection-services company to monitor the hacked data. This is an indicator for how much people are concerned.

feral_fenrir
  • 713
  • 5
  • 15