Biometric security alarm raised as hackers steal 5.6 million fingerprints

The US Office of Personnel Management says that hackers who breached its systems over the summer made off with the fingerprint records of 5.6 million individuals, raising questions over the security of biometrically-protected identities.

  39 3 comments

Biometric security alarm raised as hackers steal 5.6 million fingerprints

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

Of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from an initial estimate of 1.1 million to approximately 5.6 million.

The theft of fingerprint records is likely to send tremors through the financial services industry, which has been a cheer leader for the increased use of biometric data to protect access to buildings, computers and consumer mobile logins.

In a statement, the OPM says: "Federal experts believe that, as of now, the ability to misuse fingerprint data is limited. However, this probability could change over time as technology evolves."

In response, the US has assembled an interagency working group with expertise in this area - including the FBI, DHS, DOD, and other members of the Intelligence Community - to review the potential ways adversaries could misuse fingerprint data now and in the future. This group will also seek to develop potential ways to prevent such misuse.

"If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach," the OPM states.

While the stolen data may be of little use to hackers with a financial motivation at the moment, it will raise alarm bells for consumers, who have been slowly coming round to the use of biometrics for securing their personal financial information.

Sponsored [Webinar] 2025 Fraud Trends: Synthetic Identity, AI and Incoming Mandates

Comments: (3)

Hitesh Thakkar

Hitesh Thakkar Technology Evangelist (Financial Technology) at SME - Fintech startups (APAC and Africa)

Certainly this security incident will raise lot many questions in consumers mind as well as bring diffficulty for financial institutions to build confidence through customer education.

Mostly all finger print scanners have inbuilt scan and encrypt feature to send data over ( I refer known brands - Fujitsu, 3M Cogen, Sagem Morpho ...) the network in secured way from device to the device driver as well as further to the host. Fraudster may find difficult to replace it as Man in Middle attack but again it is subjected to implementation and architect followed while designing biometric authentication.

A Finextra member 

Could someone issue me a new PAN, PIN and fingerprint please?

Craig Lawrance

Craig Lawrance Sales Exec at Starkspur Ltd

@Martincox - absolutely right! as a static piece of security data, once digitised it's there forever for fraudsters to exfiltrate...

[On-Demand Webinar] Exploring the ethics of AI in bankingFinextra Promoted[On-Demand Webinar] Exploring the ethics of AI in banking