Hackers who stole security clearance data on millions of Defense Department and other U.S. government employees got away with about 5.6 million fingerprint records, some 4.5 million more than initially reported, the government said on Wednesday.
During an ongoing analysis of the data breach, the estimated number of people who had fingerprint records stolen rose from 1.1 million to about 5.6 million, the Office of Personnel Management said in a statement.
OPM has estimated a total of 21.5 million people had their Social Security identification numbers and other sensitive information stolen in the hacking incident earlier this spring. The discovery of additional missing fingerprints did not affect that overall total, it said.
U.S. officials have privately blamed the breach on Chinese government hackers, but they have avoided saying so publicly. Officials also have said no evidence has surfaced yet suggesting the stolen data has been abused, though they fear the theft could present counterintelligence problems.
OPM said in its statement the discovery of additional stolen fingerprints came as officials from OPM and the Defense Department were analyzing data affected by the incident.
During that process, officials “identified archived records containing additional fingerprint data not previously analyzed,” increasing the estimated number of people who had fingerprint data stolen, the OPM statement said.
OPM downplayed the danger of stolen fingerprint records, saying the ability to misuse the data is currently limited. But it acknowledged the threat could increase over time as technology evolves.
“Therefore, an interagency working group with expertise in this area … will review the potential ways adversaries could misuse fingerprint data now and in the future,” it said.
The group includes members of the intelligence community as well as the FBI, Department of Homeland Security and the Pentagon.
“If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach,” OPM said.
The Defense Department and OPM are working together to begin mailing notifications to the people whose information was stolen, the OPM statement said.