The Office of Personnel Management has revised its estimate for the number of fingerprint records compromised in cyberattacks that recently targeted the agency, the office announced on Wednesday.
The agency (commonly abbreviated as “OPM”), which serves as a human resources department for the federal government, has upped its figure to 5.6 million stolen fingerprint records from its original estimate of 1.1 million.
The higher figure does not affect the estimated number of federal employees who had their sensitive information, such as social security numbers and SF-86 security clearance forms, compromised in the attacks, OPM said in its news release. That figure remains pegged at 21.5 million.
As a means of authentication, biometric indicators such as fingerprints have made inroads in the past couple of years as a promising alternative to passwords, which can be difficult to remember and are often improperly—and weakly—applied by users. In 2013, for instance, Apple (AAPL) introduced its touch ID device-locking tech as a substitute for personal identification numbers with the launch of its iPhone 5s. The feature has been included on all the latest iPhone and iPad models since.
The OPM revelation exposes a major flaw lurking in fingerprint-protected systems though. People can easily change their passwords; they can’t easily change their fingerprints.
“Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” the agency said in a statement. “However, this probability could change over time as technology evolves.”
Fortune requested elaboration on this point. An OPM spokesperson replied via email: “The law enforcement and intelligence communities are best positioned to give the most fulsome answer to this question.”
Government security experts will team up to investigate the issue and devise future protections, the office said. This group includes members from the Federal Bureau of Investigation, Department of Homeland Security, Department of Defense, and other members of the intelligence community.
Unfortunately, no amount of free credit monitoring nor identity theft protection can un-steal fingerprint data.
Senator Ben Sasse told Fortune via email that the latest news “is the clearest sign yet that the administration still acts like the OPM hack is a PR crisis instead of a national security threat. The American people have no reason to believe that they’ve heard the full story and every reason to believe that Washington assumes they are too stupid or preoccupied to care about cyber security.”
Many security experts have attributed the OPM attacks to China. Ironically, given the news, Chinese president Xi Jinping is currently touring the U.S., visiting tech companies, and engaging with top officials in discussions about cybercrime and espionage.
For more on the OPM data breach, watch this Fortune video:
Subscribe to Data Sheet, Fortune’s daily business-tech newsletter.
