The Office of Personnel Management underestimated the number of people who had their biometric data stolen in this year’s high-profile hack, with an additional 4.5 million people being affected.
In a Wednesday press release, an OPM spokesman said the subset of individuals whose fingerprints have been stolen has increased from approximately 1.1 million to 5.6 million. That number, according to the agency, comes after OPM and the Defense Department identified archived records containing additional fingerprint data that were not previously analyzed.
The agency says the revision does not increase the overall estimate of 21.5 million individuals impacted by the breach.
“An interagency team will continue to analyze and refine the data as it prepares to mail notification letters to impacted individuals,” the release reads.
According to OPM, the ability to misuse fingerprint data is limited. A working group between OPM, DOD, the Department of Homeland Security and the intelligence community has been established to review the potential ways adversaries could misuse fingerprint data now and in the future.
“If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach,” the release reads.
In July, OPM announced sensitive information, including the Social Security numbers of 21.5 million individuals, was stolen from the agency’s background investigation databases. That includes 19.7 million individuals that applied for a background investigation and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants.
Rep. Darrell Issa, R-Calif., the former chair of the House Committee on Oversight and Government Reform, told FedScoop that it’s “not uncommon for a breach to be revised up,” but wondered how the revision will drive the federal cybersecurity strategy forward.
“We’re not doing it right,” Issa said. “We’re having major breaches and they’re not all Russian or Chinese in nature. So now the question is, have we learned from this breach? And the answer is ‘no.’”
Current House Oversight chair Jason Chaffetz, R-Utah, said in a released that OPM “has bungled this every step of the way.”
“OPM keeps getting it wrong,” Chaffetz said. “This breach continues to worsen for the 21.5 million Americans affected. I have zero confidence in OPM’s competence and ability to manage this crisis. OPM’s IT management team is not up to the task.”
Earlier this month, OPM and DOD awarded a contract to Portland, Oregon-based ID Experts for identity theft protection, identity monitoring, and data breach response and protection services in the hack’s wake.
The House Committee on Oversight and Government Reform issued a letter Tuesday asking OPM and DOD for more information related to that contract.
The National Treasury Employees Union, the nation’s largest independent federal-employee union, called on OPM to extend lifetime coverage for federal employees.
““This is further evidence that OPM’s proposal to offer credit monitoring and identity theft protections for up to three years is totally inadequate,” NTEU National President Tony Reardon said. “In light of today’s news, I once again urge the administration to provide lifetime coverage.”