OPM Admits 5.6 Million Had Fingerprint Data Stolen

Number is five times original estimate

AP

The Office of Personnel Management (OPM) said Wednesday that approximately 5.6 million Americans had their fingerprint data stolen in a cyber attack on government computer systems.

The number, first reported by CNBC, represents a more than 400 percent increase over the original estimate of 1.1 million. OPM said in a statement that the evaluation of previously unanalyzed archived records led to the fivefold increase in the estimate of compromised fingerprint data.

OPM said in a statement Wednesday that "federal experts believe that, as of now, the ability to misuse fingerprint data is limited." However, the government agency admitted that the likelihood that the data will be misused could "change over time as technology evolves," according to The Hill

An agency spokesman said, "If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach."

The cyber attack, which is believed to have been carried out by Chinese sources, compromised the data of more than 20 million people, most of whom are federal works. The information stolen includes Social Security numbers, passwords, and other sensitive data. OPM insisted Wednesday that the total number of individuals affected has not grown higher because of the updated estimate.

An interagency working group comprised of individuals from the FBI, Department of Homeland Security, and Department of Defense will review the implications of the compromised fingerprint information, OPM said.

The agency is currently working with the Defense Department to "begin" notifying individuals impacted in the hack well over two months after OPM acknowledged the breach. Earlier this month, the agency awarded a $133 million contract to Identity Theft Guard Solutions to provide identity theft protection services to individuals affected.

Victims of the hack could wait up to four months to be notified of their stolen data.