WASHINGTON — The day before Chinese President Xi Jinping arrives for a meeting with President Obama that will emphasize cyberespionage, the Office of Personnel Management said Wednesday that the hackers who stole security dossiers from the agency also got the fingerprints of 5.6 million federal employees.
US intelligence agencies have blamed China for the hacking against the office, which is the main custodian of the government’s most important personnel records, but it is unclear what group or organization engineered it. Before Wednesday, the agency had said it lost 1.1 million sets of fingerprints among the roughly 22 million individuals whose records were compromised.
“Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” the agency said in a statement. But clearly the uses are growing as biometrics are used more frequently to assure identity, in secure government facilities and even on personal iPhones.
Investigators have assumed that China is building a huge database of information about US officials or contractors who may end up entering China or doing business with it. Fingerprints could become a significant part of that effort. While a Social Security number or a password can be changed, fingerprints cannot.
Customs and immigration officials frequently fingerprint incoming travelers; millions of fingerprints in a Chinese database would help track the true identities of Americans entering the country.
“I am assuming there will be people we simply can’t send to China,’’ a senior intelligence official said this summer. “That’s only part of the damage.’’
The agency said an interagency working group “will review the potential ways adversaries could misuse fingerprint data now and in the future.”
One of the biggest concerns about the breach of personnel records has been that China, or any other states given access to the data, could use it to identify intelligence agents, defense personnel, or government contractors. Other data on the forms that were obtained, about matters as varied as bankruptcies and personal and sexual relationships, could be used for blackmail.
Lawmakers have harshly criticized the personnel agency’s handling of the data breach and its aftermath — and its habit of periodically revising upward the amount of information that was lost. Government officials have not been able to explain publicly why it took more than a year to discover that information was leaving its systems at a tremendous rate.
In testimony to a House committee recently, the director of the National Security Agency, Admiral Michael S. Rogers, said it had seen no evidence that the data lifted from the personnel agency had been used for any financial purpose, such as gaining access to bank accounts or credit cards.
While in Washington, Xi and Obama are expected to announce, at a minimum, that they are working together on new rules governing cyberspace that would amount to a first effort at a digital arms-control agreement. But that would not cover traditional espionage, which both sides conduct against each other. So the theft of personnel files, which the administration has never publicly blamed on China, would not be covered.
In fact, the director of national intelligence, James R. Clapper Jr., said over the summer that if the United States had the opportunity to steal that much data about an adversary, it would probably try to do it. And testifying to Congress alongside Rogers recently, he pushed back at lawmakers who called the breach at OPM an “attack.’’ Instead, he suggested, it was ordinary espionage.
But despite those public statements, several officials have said in background briefings that the scale of the breach was so vast that it might require some kind of government response. Hackers did not just get the data on federal employees, but also on job applicants, contractors, and many others who have been subjected to government background checks.
“It was so big,” one senior intelligence official said, “that we have to ask the question of whether the scope of it changed the nature of the theft.”
US investigators believe China is building a database of Americans who may enter China or do business with it.
Although Obama has hinted at sanctions against China, largely for intellectual property theft, the administration has decided to put off the decision until Xi’s visit is complete.