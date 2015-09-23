(Adds quotes, details, background)
By David Alexander
WASHINGTON, Sept 23 Hackers who stole security
clearance data on millions of Defense Department and other U.S.
government employees got away with about 5.6 million fingerprint
records, some 4.5 million more than initially reported, the
government said on Wednesday.
The additional stolen fingerprint records were identified as
part of an ongoing analysis of the data breach by the Office of
Personnel Management and the Department of Defense, OPM said in
a statement. The data breach was discovered this spring and
affected security clearance records dating back many years.
The news came just ahead of a state visit to Washington by
Chinese President Xi Jinping. U.S. officials have privately
blamed the breach on Chinese government hackers, but they have
avoided saying so publicly.
President Barack Obama has said cybersecurity will be a
major focus of his talks with Xi at the White House on Friday.
The United States has told China that industrial espionage in
cyberspace by its government or proxies is "an act of aggression
that has to stop," Obama said recently.
U.S. officials have said no evidence has surfaced yet
suggesting the stolen data has been abused, though they fear the
theft could present counterintelligence problems.
White House spokesman Josh Earnest said on Wednesday the
investigation into the data breach, which affected the records
of some 21.5 million federal workers, was continuing and he did
not "have any conclusions to share publicly about who may or may
not have been responsible."
He indicated the OPM announcement was not related to Xi's
visit but instead came about because officials at OPM had met
with members of Congress and told them about the fingerprints
and so needed to release the information to the public as well.
Officials from OPM and the Defense Department only recently
discovered that the additional fingerprints had been stolen as
they continued to assess the data breach, OPM said in a
statement.
During that process, officials "identified archived records
containing additional fingerprint data not previously analyzed,"
the OPM statement said. As a result, the estimated number of
people who had fingerprint records stolen rose to 5.6 million
from the 1.1 million initially reported, it said.
OPM said the total number of people affected by the breach
was still believed to be 21.5 million.
The agency downplayed the danger posed by stolen fingerprint
records, saying the ability to misuse the data is currently
limited. But it acknowledged the threat could increase over time
as technology evolves.
"An interagency working group with expertise in this area
... will review the potential ways adversaries could misuse
fingerprint data now and in the future," it said.
The group includes members of the intelligence community as
well as the FBI, Department of Homeland Security and the
Pentagon.
"If, in the future, new means are developed to misuse the
fingerprint data, the government will provide additional
information to individuals whose fingerprints may have been
stolen in this breach," OPM said.
Senator Ben Sasse, a Nebraska Republican who has accused the
administration of failing to take cybersecurity seriously, said
the OPM announcement was further evidence that officials viewed
the data breach as "a PR (public relations) crisis instead of a
national security threat."
The individuals affected by the breach have not yet been
notified. The OPM statement said the personnel office and
Defense Department were working together to begin mailing
notifications to those affected.
