OPM says up to 5.6 million fingerprints stolen

the Office of Personnel Management admitted that the number of federal employees’ fingerprints compromised in the massive breach of its servers over the summer has grown from 1.1 million to a whopping 5.6 million. When hackers steal data such as passwords, you can change it. However, when they steal your fingerprints, they have a credential that never changes, which means they could use your identity indefinitely.

Commenting on this news, Ryan Wilk, director at behavioural biometrics firm, NuData Security said:

“Although usernames and passwords can be changed, and compromised cards replaced, victims of a breach need to understand that every bit of information exposed is becoming more critical by the day.

By combining the information stolen from these breaches, the hackers have the potential to piece together comprehensive user identities. One frightening example is the “Facebook of Everything” that China’s intelligence service is compiling from the personal data stolen over several high-profile U.S. cyber breaches including OPM, and is being indexed by into a massive Facebook-like network to build a profile of with more details than Facebook.

In other words, they’ve now got a full database of information that could be used for multiple fraudulent and nefarious purposes into generations to come. They are able to use the stolen information and fingerprints to create more comprehensive ‘identity bundles’ which sell for a higher value to hackers. With more complete information, more damaging fraud can take place. As an example, if I’m a hacker and gain access to geographical data on John Smith from breach one, and bank account information from breach two, I can fill out a loan application or apply for a new credit card as John regularly would. This is true for the millions of stolen fingerprints as well, especially with the increased adoption of touch/fingerprint-based authentication for mobile banking and payment apps. Unlike passwords, fingerprints last a lifetime and are usually associated with critical identities.

Identity protection services or credit monitoring aren’t enough particularly for biometric identity theft. Fingerprints cannot be changed. Spoofing fingerprints is no longer something from a sci-fi movie. It is happening and will increase more as cheaper tools make their way onto the dark web.

Fortunately, user behaviour analytics can provide the extra layers of protection even after hacks have occurred. Online fraud detection solutions can stop fraudsters in their tracks by identifying suspicious activity, in a completely passive and non-intrusive way. This is accomplished by understanding how a legitimate user truly behaves in contrast to a potential fraudster with legitimate information.  Even if the fraudster has your spoofed fingerprint, and all of your account information, organisations can look at behavioural events, biometrics, device, geography and other layers to determine the real actor behind the device or fingerprint. Without even interrupting a user’s experience, fraud can be predicted and prevented from occurring.”