It was one of the largest cyber attacks ever carried out against the U.S. government: At least 21.5 million military, civilian and contractor personnel had their sensitive data stolen, and an estimated 5.6 million had their fingerprints compromised.
Now, four months later, Americans are still dealing with the consequences of July’s massive cyberbreach.
The Office of Personnel Management, the agency the runs the twice hacked database, has been sending out letters to individuals who saw their information stolen.
One OPM letter was provided to WND by an individual who had the following records compromised:
- Social Security number
- Date and place of birth
- Education history
- Employment history
- Personal foreign travel history
- Information about immediate family
- Information about business and personal acquaintances
- Other information used to conduct a background investigation
‘Every minute detail of your life’
“I’ve never had data stolen at this scale before — and I’ve never had data stolen that also jeopardizes my friends and family,” wrote Slate’s Josephine Wolff, who received a similar OPM letter this week notifying her that her information was compromised.
“For those of you who have never had a security clearance, it involves not just dredging up and recording every minute detail of your life (everywhere you’ve lived, every job you’ve ever held, every trip you’ve ever taken, every potentially embarrassing or blackmail-worthy moment of your existence) but also a considerable amount of information about other people (your relatives, neighbors, bosses, roommates, exes, friends in foreign countries — their full names, addresses, telephone numbers, citizenship).”
According to the following letter, OPM is offering “comprehensive identity theft protection and monitoring services, at no cost” to affected individuals and their minor children, a gesture Wolff described as “a laughable attempt at damage control”:
The government considers it to be applicants’ responsibility to alert third parties listed on the background check forms.
Wolff said, “I’ll go home for Thanksgiving later this week and tell my family members that they may be at risk and there’s nothing I can do about it beyond urg[ing] them to monitor their credit and issue a credit freeze. Am I supposed to awkwardly call up old friends and former acquaintances and let them know they may be impacted, like I’ve just been diagnosed with some kind of digital [sexually transmitted infection]?”
Why fingerprints might be valuable to hackers
If thieves obtain Social Security numbers, they can apply for credit cards or loans, obtain medical care under another person’s identity, file for fraudulent tax refunds or Social Security benefits and even ruin an individual’s legal record by providing the false number to law enforcement after they commit a crime.
But many Americans ask: What might criminals do with my stolen fingerprints?
While OPM informs the recipients that their fingerprints were “compromised during the cyber intrusion,” it states: “Federal experts believe the ability to misuse fingerprint data is currently limited. … [W]e are working with law enforcement and national security experts to review the potential ways fingerprint data could be misused now and in the future …”
But Eva Velasquez, CEO of the Identity Theft Resource Center, explained to Credit.com that stolen fingerprints may be a big problem in the future if biometric technology is used to verify bank accounts, home security systems and even travel verifications.
And unlike stolen Social Security numbers, she says, it’s more difficult to deal with the consequences of having fingerprints hacked.
“There is a process in place to change your Social Security number,” Velazquez said. “It’s hardly ever used … but we know it is exists.”
Your fingerprint, on the other hand, is “unchangeable,” she said.
Mike German, a fellow at the Brennan Center for Justice’s Liberty and National Security Program, concurred with Velasquez’ observation: “People can change their appearance and assume a covert identity, but they can’t change their fingerprints,” he told the FiveThirtyEight blog.
German said a foreign intelligence agency would consider fingerprints to be “extremely valuable counter-intelligence material.”
And if domestic cyber hackers obtained the fingerprints, the records could be sold for very high prices to foreign governments.
What could China do with those prints?
Allison Berke, a former cyber security consultant and senior associate director of the Stanford Cyber Initiative, told FiveThirtyEight foreign governments can use the prints for three primary purposes:
- To sniff out spies located in foreign countries operating under aliases: After foreign governments collect fingerprints when Americans arrive in the country, they can compare those prints against the hacked OPM database to determine whether individuals work for the U.S. government.
- To create fake identities inside OPM databases: Berke said foreign operatives could replace “fingerprint data of legitimate employees with the fingerprints of a person who wishes to assume that identity.” Hackers have already demonstrated that they can access OPM records, so it’s possible they could swap prints inside the personnel database, and the federal government might not detect the switch.
- To bypass federal security measures: Operatives could use the prints, along with the millions of Social Security numbers they swiped, for identity verification. In theory, FiveThirtyEight explains, the fingerprint data could be used to acquire a smart card ID, which federal employees use to access information on government laptops and enter secured facilities with doors that have fingerprint scanners.
Nonetheless, federal authorities didn’t want to speculate on what could happen, according to FiveThirtyEight, which reported am FBI spokesperson said they didn’t want to “theorize on what could be done with the prints.”
The U.S. also uses electronic fingerprint data for visa applications, according to the State Department website.
And U.S. Customs and Border Protection uses an electronic fingerprints database to identify international travelers when they enter the U.S. CBP says it uses its 10-fingerprint database “to verify a traveler’s identity” and determine whether they “pose a threat to the United States.” The agency says, “[B]iometrics are unique and almost impossible to forge.”
Kurt Schlichter, a Townhall columnist, author and Army veteran, recently received the OPM letter, too.
“Oh, the OPM informed me by letter that they had lost my info in the clearance hack,” he tweeted. “Tell me more about how we can trust Obama on Syrians.”
OPM vulnerable to another attack?
The OPM letter provided to WND doesn’t explain how federal officials plan to help prevent any of the above scenarios, or what measures it has taken to ensure its records are not compromised again in a large-scale cyberbreach.
In fact, OPM may still be vulnerable to another attack, according to NextGov.com, which reported Friday that the agency is “still struggling to address IT recommendations repeatedly made by the inspector general’s office.”
To further exacerbate the issue, China is likely still spying on the U.S., said U.S. counterintelligence chief Bill Evanina in a Nov. 18 briefing.
And, as WND Editor and CEO Joseph Farah wrote in his Monday column, when Congress finally got around to investigating the massive cyberbreach, officials from OPM, the Office of Management and Budget and the Department of Homeland Security all refused to testify.
“It’s almost as shocking as the administration’s negligence in permitting the cyber-attack in the first place,” Farah wrote. “It’s a cover-up, plain and simple. It’s stonewalling on a scale that puts Richard Nixon and Bill Clinton to shame.”
Tips for Americans who had records hacked
Lifelock, an American identity theft protection company, offered the following list of tips for Americans who had their personal information compromised:
- Assume your most sensitive personal data has been compromised. You should pay close attention to your finances and credit for years to come. … [E]ven if new accounts are not opened immediately, they could be at a much later date. A Social Security number can be used to open a new credit account, open a cell phone account or even fraudulently file a tax return.
- Change passwords for important email accounts, financial accounts and social media accounts. It never hurts to make sure your important accounts have protection. Your email address could have been stolen, so it’s important to be on the lookout for phishing emails, which are designed to trick you into handing over more personal information or loading malware onto your computer. If you want to log into an account, type the URL into the browser yourself.
- Monitor transactions by keeping an eye on your financial accounts, looking for any fraudulent transactions and report any suspicious transaction immediately.
Lifelock also suggests enrolling in a credit monitoring service.
What wasn’t included in the OPM letter? An apology for the massive breach.
“One of the things that was so egregious to me is that OPM never said, ‘I’m sorry,'” said Chairman of the House Oversight Committee on Information Technology Rep. Will Hurd, R-Texas, in an interview with Passcode. “That is what’s outrageous.”