Millions more fingerprints stolen in OPM breaches than first reported

September 23, 2015, 7:03 PM UTC
Biometric Hardware Firms Display Security Solutions
LONDON - OCTOBER 14: A fingerprint scanner is demonstrated during the Biometrics 2004 exhibition and conference October 14, 2004 in London. The conference will examine the role of new technology such as facial recognition and retinal scans to determine identity to improve security. (Photo by Ian Waldie/Getty Images) *** Local Caption ***
Photograph by Ian Waldie — Getty Images

The Office of Personnel Management has revised its estimate for the number of fingerprint records compromised in cyberattacks that recently targeted the agency, the office announced on Wednesday.

The agency (commonly abbreviated as “OPM”), which serves as a human resources department for the federal government, has upped its figure to 5.6 million stolen fingerprint records from its original estimate of 1.1 million.

The higher figure does not affect the estimated number of federal employees who had their sensitive information, such as social security numbers and SF-86 security clearance forms, compromised in the attacks, OPM said in its news release. That figure remains pegged at 21.5 million.

As a means of authentication, biometric indicators such as fingerprints have made inroads in the past couple of years as a promising alternative to passwords, which can be difficult to remember and are often improperly—and weakly—applied by users. In 2013, for instance, Apple (AAPL) introduced its touch ID device-locking tech as a substitute for personal identification numbers with the launch of its iPhone 5s. The feature has been included on all the latest iPhone and iPad models since.

The OPM revelation exposes a major flaw lurking in fingerprint-protected systems though. People can easily change their passwords; they can’t easily change their fingerprints.

“Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” the agency said in a statement. “However, this probability could change over time as technology evolves.”

Fortune requested elaboration on this point. An OPM spokesperson replied via email: “The law enforcement and intelligence communities are best positioned to give the most fulsome answer to this question.”

Government security experts will team up to investigate the issue and devise future protections, the office said. This group includes members from the Federal Bureau of Investigation, Department of Homeland Security, Department of Defense, and other members of the intelligence community.

Unfortunately, no amount of free credit monitoring nor identity theft protection can un-steal fingerprint data.

Senator Ben Sasse told Fortune via email that the latest news “is the clearest sign yet that the administration still acts like the OPM hack is a PR crisis instead of a national security threat. The American people have no reason to believe that they’ve heard the full story and every reason to believe that Washington assumes they are too stupid or preoccupied to care about cyber security.”

Many security experts have attributed the OPM attacks to China. Ironically, given the news, Chinese president Xi Jinping is currently touring the U.S., visiting tech companies, and engaging with top officials in discussions about cybercrime and espionage.

For more on the OPM data breach, watch this Fortune video:


Subscribe to Data Sheet, Fortune’s daily business-tech newsletter.

Subscribe to Well Adjusted, our newsletter full of simple strategies to work smarter and live better, from the Fortune Well team. Sign up today.

Read More

Artificial IntelligenceCryptocurrencyMetaverseCybersecurityTech Forward