The Office of Personnel Management (OPM) said Wednesday that it underestimated by approximately 4 million the number of individuals whose fingerprints were stolen in the massive breach revealed this spring.
OPM revised its original estimate of 1.1 million to 5.6 million after it discovered archived records not previously analyzed.
The agency says that the new estimate does not impact the overall number of individuals whose data was exposed by the hack. The total still stands at as many as 22.1 million former, current and prospective federal employees, contractors and others.
Citing federal experts, OPM assured breach victims that “as of now, the ability to misuse fingerprint data is limited,” but that “this probability could change over time as technology evolves.”
An interagency working group including members from the FBI, the Department of Homeland Security, the Department of Defense (DOD) and other intelligence community members are studying how cyber criminals could potentially exploit the data.
“If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach,” a spokesman said in a release.
Sen. Ben Sasse (R-Neb.), who has been critical of how the OPM has handled the breach fallout, immediately jumped on the news as another example of mismanagement.
“Today’s blatant news dump is the clearest sign yet that the administration still acts like the OPM hack is a PR crisis instead of a national security threat,” he said in a statement. “The American people have no reason to believe that they’ve heard the full story and every reason to believe that Washington assumes they are too stupid or preoccupied to care about cyber security.”
The OPM release also notes that officials are working with the DOD to “begin” mailing notifications to impacted individuals, part of $133-million contract to provide three years of identity-theft protection services for those affected.
The timeline of those notifications has been under intense scrutiny. Because the contract was not awarded until two months after the breach was revealed, some victims may not find out their data was taken until November.
OPM said when it announced the contract that the DOD would begin sending direct notifications at the end of this month and take several weeks. The agency declined to give a more specific timeline.
House Oversight Committee Chairman Jason Chaffetz (R-Utah) on Tuesday demanded that the DOD turn over a copy of the contract as well as information detailing the notification process.
Chaffetz said Wednesday’s announcement was just more evidence that OPM officials are not to be trusted.
“OPM keeps getting it wrong,” he said. “This breach continues to worsen for the 21.5 million Americans affected. I have zero confidence in OPM’s competence and ability to manage this crisis. OPM’s [information technology] management team is not up to the task. They have bungled this every step of the way.”
The National Treasury Employees Union used the revelation to push for more extensive credit monitoring and identity theft protections. The union says the three years of the current contract is inadequate and is suing the agency seeking lifetime coverage for its members.
— Cory Bennett contributed