Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

The data breach that just gets worse and worse Tim Henwood
25 September 2015

Fingerprint

Did you think Ashley Madison was a big deal? Most of us know the story - a group of people who were looking online for affairs got outed because hackers took the database and dumped it online for everyone to see.

Maybe because of Ashley Madison, it was easy to overlook a much less sexy story that began in June and continues to rumble on in the United States. It is also a hacking* story that is potentially a bigger deal than Ashley Madison.

But the mainstream news media here didn’t spend much time on it. The agency that was hacked had a boring name; the information stolen wasn’t instantly salacious, it involved US government employees, and it didn’t have the element of international scandal.

The agency in question is the United States Office of Personnel Management (OPM). For context, think of it as an enormous human resources department for the entire US federal government system and its millions of employees.

Early on, OPM revealed the records of 1.1 million people had been stolen in the hack. That number grew to four million and has since ballooned to a massive 21.5 million. The information targeted included personal information such as social security numbers, names, dates and places of birth, and addresses.

Even if they had a boring name, that’s a pretty big data breach. What makes this particularly bad is that OPM provides security clearances to US government officials. It is the office that carries out the equivalent in New Zealand of SIS security clearance checks on government officials who have access to sensitive information.

Potentially, everyone who works, or has worked, in the US federal government public service and who needed a security clearance has been affected.

If you’ve had a security clearance in New Zealand, or know someone that has, you’ll know that it’s not just your personal information tied up in a clearance. They ask questions of and about multiple people that you know. So those 21.5 million records possibly contain information about even more people.

But wait, it gets worse.

This week, it was revealed the data nicked by the hackers included the fingerprints of 5.6 million people.

As this Wired article points out: “When hackers steal your password, you change it. When hackers steal your fingerprints, they’ve got an unchangeable credential that lets them spoof your identity for life.”

In the scheme of biometrics, someone getting hold of the raw fingerprint is really bad news. If OPM had just stored the biometric templates – or measurements – of the fingerprints, that would be one thing. You can generate new templates. But you can’t give someone a new set of fingerprints.

OPM is downplaying the significance of this latest aspect of the breach. An interagency government group that includes the FBI and the Department of Homeland Security is reviewing potential ways the hackers could misuse the fingerprint data. In a statement, OPM said federal government security experts believed the ability to misuse fingerprint data was limited but it warned that this could change over time as technology evolved.

In comparing the breach at Ashley Madison with the one at the Office of Personnel Management, we are reminded that all data is not created equal because some personal information is more personal than others.

* The jury’s still out on whether this was an actual hack. We’ve based our commentary on various stories in the media at the time, but there’s also evidence that points to the incident being the work of a malicious insider.

Image credit: Fingerprint from page 88 of "Biology and man" (1944), Ginn and company publishers.

1 comments

, ,

Back

Comments

  • I'm getting far, far too old but I'm still a spring or autumn chicken - not even 60! But, nothing has really changed - remember the ancient feminist catch-cry of the 60's - "the personal is the political?" We really haven't moved on a great deal yet have we? Time for the personal to be just the personal and for all parts of the accompanying personal anatomy to make up its mind and keep to its own place when personal commitment is made rather than broadcasting itself for enhanced employment and enjoyment. Yet again, great reading - OPC. Morals, ethics? Just what are THEY?

    Posted by Carmel Rogers, 08/10/2015 9:35pm (2 years ago)

    Post Reply

    The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

Post your comment

The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

Latest Blog Entries