Officials say 5.6 million fingerprints stolen in massive OPM hack

Updated

The Office of Personnel Management announced Wednesday that the number of people whose fingerprints were stolen in a major breach first announced this summer has jumped to 5.6 million, more than five times the number the agency first reported.

The announcement comes on the second day of a visit to the United States by Chinese president Xi Jinping, who is due to meet with President Obama Friday in Washington amid a backdrop of accusations by U.S. officials of Chinese hacks of American government and businesses computers.

American officials this summer said China is responsible for the OPM breach, though China denied involvement.

RELATED: Ashley Madison & digital privacy hypocrites

OPM first announced in July that an estimated 1.1 million fingerprint records had been stolen as part of a major breach targeting 21.5 million people. Wednesday, the agency said an investigation into the breach had identified additional stolen fingerprint records.

“This does not increase the overall estimate of 21.5 million individuals impacted by the incident,” the release said.

The agency first reported in June that personnel records of 4.2 million people had been compromised in a hack. The following month, OPM reported a second, larger attack targeting personal information for 21.5 million people. The second attack, the agency said, targeted background checks required for U.S. government security clearances, and included social security numbers, health records, and fingerprint records.

Because of overlap between the two attacks, the agency said the two breaches combined affected a total of 22.1 million people.

In its release Wednesday, the agency said that federal intelligence officials are evaluating how fingerprint data could be fraudulently used, and how to prevent such use.

“Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” the release said.

OPM officials say they suspect hackers gained access to the OPM network in May 2014 via a contractor’s stolen login information, and were inside the system for almost a year before the smaller hack was discovered in April. Officials said they discovered the second, larger hack while investigating the first, and that they suspected both hacks were the work of the same party.

While the White House never made an official accusation in the breach, U.S. officials pointed toward China. During an intelligence conference in Washington over the summer, the Director of National Intelligence, James Clapper, called China a “leading suspect.”

“You have to kind of salute the Chinese for what they did,” Clapper said.

China has denied involvement, telling NBC News in the wake of the revelation of the first hack that American officials were “irresponsible” for making accusations against China.

Tension has steadily increased over this issue.

Earlier this month, during a visit to Fort Meade, where the NSA and the United States Cyber Command is located, President Obama answered questions about recent cyber attacks.

“We’ve made very clear to the Chinese that there are certain practices that they’re engaging in that we know are emanating from China and are not acceptable,” Obama said. “And we can choose to make this an area of competition, which I guarantee you we’ll win if we have to.”

While he is here in the US, Xi Jinping is seeking to assuage worries about Chinese cyber activity, and nurture relationships with U.S. industry.

Speaking to American business leaders in Seattle on Tuesday, the first night of his state visit, the Chinese president said China is a “staunch defender” of cyber-security.

“The Chinese government will not, in whatever form, engage in commercial thefts or support or encourage such attempts by anyone,” Xi said, adding that China “is ready to set up a high-level, joint dialog mechanism with the United States on fighting cyber crimes.”

Wednesday Xi met with U.S. business executives in Seattle, including investor Warren Buffett, Apple CEO Tim Cook, Amazon head Jeff Bezos, and Microsoft head Satya Nadella.

During a speech that followed a private meeting with American and Chinese business executives, Xi said he would work with the United States on an agreement to improve trade relations between each country.

“Once concluded, the treaty will further ease market access and put in place more open and transparent market rules,” Xi said.

But cyber security experts say that without an agreement to tamp down Chinese cyber theft, American companies will continue to lose money.

“This is an active cyber war that’s going on,” said J.J. Thompson, the CEO of the Indianapolis-based Rook Security firm. 

“The president needs to figure out whether we are going to continue drifting apart from the Chinese on cyber security policy, or work together in a joint effort to bring forth meaningful change,” Thompson said.

Privacy

Officials say 5.6 million fingerprints stolen in massive OPM hack

Updated