5.6 million fingerprints compromised in OPM breach – you can't change your fingerprint!
This is evident in the latest report from the Office of Personnel Management (OPM). Their data breach, which includes a compromise of 21 million Social Security numbers of former and current government employees, just got much worse. Amazingly, although the breach was reported months ago, the government is just now coming forward with additional details on the compromise. OPM is now saying that 5.6 million people's fingerprints were stolen as part of the hacks.
Data breaches involving biometric data like fingerprints are particularly concerning. Unlike credit and debit cards, usernames and passwords, and sometimes even Social Security numbers, fingerprints cannot be changed. So those affected by this fingerprint breach may have to deal with identity theft issues for their entire life.
We are using our fingerprints more and more today to unlock our phones and security services. Passwords are being replaced by fingerprints. That's why it's concerning because the hackers could really leverage this biometric data and cause increasing harm to individuals.
Plus, "credit monitoring," which OPM and every other breached organization is so quick to offer as the remedy to make things "all better," is not going to help here. Not offering the appropriate remedy to affected individuals in a data breach is the hottest area and claim for class action lawyers today. Credit monitoring is not always appropriate and can come back to bite a breached organization. Unfortunately, no great remedy currently exists for fingerprint breaches.
It will also be interesting to watch how the state breach notice laws evolve in this area. Only a handful of states currently include "biometric data" (such as fingerprints) in the definition of Personally Identifiable Information. Count on this to change soon.