The U.S. Office of Personnel Management (OPM) was hacked recently and investigators have concluded that the number of stolen records was far greater than anyone had estimated before. 21.5 million people were impacted by this breach. Basically everyone that has had a background security check through the OPM since 2000. However it wasn’t just employees or applicants that were impacted but 1.8 million of those were of friends and family members of applicants that were given security reviews as well.
The one aspect of the breach that I want to focus on is on what else the hacker took, 1.1 million fingerprints. That’s a little different from social security numbers (SSN) and personally identifiable information (PII) that can be used for identity theft on a digital level. There are services and protections you can use to limit and identify when your information is being used for financial purposes, filing false tax returns, opening credit cards, etc… You can change your bank accounts, cancel your credit cards, and even get a new SSN (very hard to do) but it’s possible.
When you talk about fingerprints that changes everything. As security becomes more robust and more companies are pushing to get away from passwords, one direction is using biometric security. Using the unique features of your body in theory is a very strong method to identify a person. Retinal scans and facial recognition are far more advanced technologies but fingerprint scanners, especially in the government sector and facilities are more widespread. When this technology hit the market and were implemented it seemed like a good security process, I have never bought into biometric as a security solution. The primary reason is that you cannot change it. It is what it is.
With fingerprints being stolen from OPM you now have 1.1 million people who can never safely and confidently use their fingerprints as a security process in the future, anywhere. You have no idea where your fingerprints ended up and with your SSN and PII you can be tracked from the shadows forever. Unlike digital information those 1.1 million people cannot change their fingerprints. In addition, any place that used a fingerprint scanner as part of an authentication or access control now have to seriously look at the viability and risk of keeping it in place. You either have to increase security layers before the fingerprint scanner or remove the 1.1 million people who may have had access through that method but then have to add more security to allow them access by something other than fingerprints.
Another aspect of this breach that should be talked about and built into security frameworks is classifying and properly pushing for biometric data, even if it’s not used for security, to be secured at the same level as a password. Your company may not have body scanners in place but someone else might and you are storing the keys for that security system and may not know it. In the information security best practice handbook is that you never use the same password on different sites. The reason being is if one system is hacked your username and password won’t work anywhere else. Yet the same folks push for biometric security implementations which breaks the first rule, you have one set of fingerprints, one eye scan, one face (plastic surgery not included) that will be used everywhere.
The government may not have any fingerprint scanners deployed anywhere, I don’t know. The point is with the growing use of bio-metric and body recognition technologies, like your iPhone/iPad TouchID, people need to stand back and question what happens when the stored data about my bio is breached? Then what? I can’t call someone to change it, it’s purely dead and gone at the point. It’s the equivalent of losing your house keys and having to move because you can’t change the locks.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.