Biometric security alarm raised as hackers steal 5.6 million fingerprints

Biometric security alarm raised as hackers steal 5.6 million fingerprints

The US Office of Personnel Management says that hackers who breached its systems over the summer made off with the fingerprint records of 5.6 million individuals, raising questions over the security of biometrically-protected identities.

Of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from an initial estimate of 1.1 million to approximately 5.6 million.

The theft of fingerprint records is likely to send tremors through the financial services industry, which has been a cheer leader for the increased use of biometric data to protect access to buildings, computers and consumer mobile logins.

In a statement, the OPM says: "Federal experts believe that, as of now, the ability to misuse fingerprint data is limited. However, this probability could change over time as technology evolves."

In response, the US has assembled an interagency working group with expertise in this area - including the FBI, DHS, DOD, and other members of the Intelligence Community - to review the potential ways adversaries could misuse fingerprint data now and in the future. This group will also seek to develop potential ways to prevent such misuse.

"If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach," the OPM states.

While the stolen data may be of little use to hackers with a financial motivation at the moment, it will raise alarm bells for consumers, who have been slowly coming round to the use of biometrics for securing their personal financial information.

Comments: (3)

Hitesh Thakkar
Hitesh Thakkar - SME - Fintech startups (APAC and Africa) - India 24 September, 2015, 14:41Be the first to give this comment the thumbs up 0 likes

Certainly this security incident will raise lot many questions in consumers mind as well as bring diffficulty for financial institutions to build confidence through customer education.

Mostly all finger print scanners have inbuilt scan and encrypt feature to send data over ( I refer known brands - Fujitsu, 3M Cogen, Sagem Morpho ...) the network in secured way from device to the device driver as well as further to the host. Fraudster may find difficult to replace it as Man in Middle attack but again it is subjected to implementation and architect followed while designing biometric authentication.

A Finextra member
A Finextra member 25 September, 2015, 06:511 like 1 like

Could someone issue me a new PAN, PIN and fingerprint please?

Craig Lawrance
Craig Lawrance - Starkspur Ltd - Chalfonts 25 September, 2015, 07:54Be the first to give this comment the thumbs up 0 likes

@Martincox - absolutely right! as a static piece of security data, once digitised it's there forever for fraudsters to exfiltrate...