The hackers who recently broke into the computers of the federal Office of Personnel Management didn’t just steal the usual names, addresses and Social Security numbers. This time, they took something else: fingerprints. Over 1 million sets of them.
That piqued the interest of the would-be criminal masterminds in the FiveThirtyEight office: What exactly does one do with lots of stolen fingerprints? Access a bunch of iPhones with Touch ID and download unlimited albums from iTunes? It turns out we weren’t thinking nearly big enough.
In fact, the most likely uses of the stolen prints are more about deep spycraft than petty phone theft, according to several experts I asked to theorize on potential exploits. Combine the old grade-school truism that fingerprints, like snowflakes, are unique (or at least pretty close to it) with the fact that fingerprints can’t be changed, and you’ve got a powerful identity authentication tool that could be used to great effect by a foreign intelligence agency.
“People can change their appearance and assume a covert identity, but they can’t change their fingerprints,” wrote Mike German, a fellow at the Brennan Center for Justice’s Liberty and National Security Program, in an email.1 If the hack was indeed carried out by a foreign intelligence agency, as experts suggested to me that it was, the fingerprints would be “extremely valuable counter-intelligence material,” he continued. And even if the hackers were run-of-the-mill civilian cyber-criminals, the material could potentially be sold for big money to an interested foreign government.
Echoing those thoughts, Allison Berke, a former cyber security consultant and senior associate director of the Stanford Cyber Initiative, said she could imagine three specific ways the hackers — probably Chinese nationals, in her view — may use the stolen fingerprints.
First, they could be used to sniff out individuals operating in a foreign country under false identities. Imagine that you, an American spy, travel to Hackistan ostensibly to work as the ambassador’s dog walker. The Hackistani government grabs your fingerprints when you arrive in the country. But now, after their successful hack, they can check yours against the prints in the stolen OPM database. They find that your prints are a partial match with the prints of a contractor who worked for the U.S. Department of Defense a decade ago. Uh oh. “Hmm, maybe this isn’t really a dog walker after all,” the Hackistanis might think. “Let’s look a bit more closely at this guy.”
Second, Berke said, the prints may help in creating new, assumed identities for the thieves or their associates. Foreign operatives could do this “by replacing the fingerprint data of legitimate employees with the fingerprints of a person who wishes to assume that identity,” Berke wrote in an email. Typically, the OPM would be able to track changes made to the personnel database. But in this case, the hackers had administrative access, and it’s impossible for OPM now to know if changes were made.
Third, the prints could be used, in combination with some of the other stolen data like names and Social Security numbers, as further identity authentication. Berke wasn’t aware of any real-world examples of this, but in theory it could allow those using the hacked data to illicitly obtain a personal identity verification card, for example — a smart card that legitimate employees use to access federal facilities. Federal employees sometimes need the same type of card to log on to their computers, and doors occasionally have fingerprint scanners. The stolen prints could be used to bypass these security measures.
Berke said she thought that accessing encrypted devices using the prints may be possible, but was less likely. Multiple calls to Apple to ask about the security of its fingerprint Touch ID technology in light of this hack were not returned.
Federal law enforcement officials wouldn’t indulge in speculation, either. An FBI spokesperson told me in a voicemail that they didn’t want to “theorize on what could be done with the prints.”
Mike German said he was worried about the implications of this breach, especially as more and more private data is shared with the government. He said that major breaches like this are usually less the result of ultra-sophisticated hacking and more of poor “cyber hygiene” — the proper maintenance and upkeep of computer systems, and the use of cyber security best practices.
“If private companies are sharing more information with the government,” he said, “and the OPM practices are an example of the government’s cyber hygiene, I don’t think that bodes well for our cyber security.”