The U.S. Office of Personnel Management (OPM) recently announced that, of the 21.5 million people whose Social Security numbers and other personal information were exposed by data breaches disclosed earlier this year, approximately 5.6 million people's fingerprints were also exposed.
"Federal experts believe that, as of now, the ability to misuse fingerprint data is limited," OPM press secretary Sam Schumach said in a statement. "However, this probability could change over time as technology evolves."
An interagency working group composed of experts from the FBI, DHS, DOD and other member of the intelligence community will examine ways the fingerprint data could be misused both now and in the future, Schumach said.
"This group will also seek to develop potential ways to prevent such misuse," he added. "If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach."
As Tripwire director of IT security and risk strategy Tim Erlin told eSecurity Planet by email, one of the key challenges of biometric authentication is that it's immutable.
"You can’t change your fingerprints, retinas or voice prints," he said. "When biometric credentials are compromised, it’s very hard to recover. Using multi-factor authentication can provide mitigation in these cases. The best authentication, as the old adage goes, requires something you are, something you have and something you know."
"While cybercriminals may not be positioned to leverage stolen biometrics now, that will change as these types of authentication are more widespread," Erlin added. "Most iPhones can use a fingerprint for authentication these days, and criminals always look for the most profitable targets."
And STEALTHbits channel marketing manager Jeff Hill noted by email that public details of the OPM breach continue to be extremely limited. "We don’t know how long the attackers operated on the OPM network undetected," he said. "We don’t know the means of initial infiltration. However, that the government is revising its damage estimates yet again implies the extent to which sensitive data was exposed is still unclear, a troubling development further suggesting the time between initial breach and detection was substantial."
"It takes time to compromise privileged credentials, find the sensitive personnel data those credentials have access to, and exfiltrate millions of records without attracting attention," Hill added. "Few in the data security world would be surprised if we eventually learn the bad actors operated with relative impunity on the OPM network for a timeframe measured in months, if not years."