Did you think Ashley Madison was a big deal? Most of us know the story - a group of people who were looking online for affairs got outed because hackers took the database and dumped it online for everyone to see.
Maybe because of Ashley Madison, it was easy to overlook a much less sexy story that began in June and continues to rumble on in the United States. It is also a hacking* story that is potentially a bigger deal than Ashley Madison.
But the mainstream news media here didn’t spend much time on it. The agency that was hacked had a boring name; the information stolen wasn’t instantly salacious, it involved US government employees, and it didn’t have the element of international scandal.
The agency in question is the United States Office of Personnel Management (OPM). For context, think of it as an enormous human resources department for the entire US federal government system and its millions of employees.
Early on, OPM revealed the records of 1.1 million people had been stolen in the hack. That number grew to four million and has since ballooned to a massive 21.5 million. The information targeted included personal information such as social security numbers, names, dates and places of birth, and addresses.
Even if they had a boring name, that’s a pretty big data breach. What makes this particularly bad is that OPM provides security clearances to US government officials. It is the office that carries out the equivalent in New Zealand of SIS security clearance checks on government officials who have access to sensitive information.
Potentially, everyone who works, or has worked, in the US federal government public service and who needed a security clearance has been affected.
If you’ve had a security clearance in New Zealand, or know someone that has, you’ll know that it’s not just your personal information tied up in a clearance. They ask questions of and about multiple people that you know. So those 21.5 million records possibly contain information about even more people.
But wait, it gets worse.
This week, it was revealed the data nicked by the hackers included the fingerprints of 5.6 million people.
As this Wired article points out: “When hackers steal your password, you change it. When hackers steal your fingerprints, they’ve got an unchangeable credential that lets them spoof your identity for life.”
In the scheme of biometrics, someone getting hold of the raw fingerprint is really bad news. If OPM had just stored the biometric templates – or measurements – of the fingerprints, that would be one thing. You can generate new templates. But you can’t give someone a new set of fingerprints.
OPM is downplaying the significance of this latest aspect of the breach. An interagency government group that includes the FBI and the Department of Homeland Security is reviewing potential ways the hackers could misuse the fingerprint data. In a statement, OPM said federal government security experts believed the ability to misuse fingerprint data was limited but it warned that this could change over time as technology evolved.
In comparing the breach at Ashley Madison with the one at the Office of Personnel Management, we are reminded that all data is not created equal because some personal information is more personal than others.
* The jury’s still out on whether this was an actual hack. We’ve based our commentary on various stories in the media at the time, but there’s also evidence that points to the incident being the work of a malicious insider.
Image credit: Fingerprint from page 88 of "Biology and man" (1944), Ginn and company publishers.