US OPM hack attack worse than first feared

The US Office of Personnel Management has revealed its large-scale data security breach was far more severe than first believed, with millions of additional fingerprint records stolen. 

Hackers who stole security clearance data on millions of US Defense Department and other government employees got away with around 5.6 million fingerprint records, some 4.5 million more than initially reported. 

The additional stolen fingerprint records were identified as part of an ongoing analysis of the data breach by the OPM and the Department of Defense. 

The data breach was uncovered in July and affected security clearance records dating back many years. 

The news came just ahead of a state visit to Washington by Chinese President Xi Jinping.  

Intelligence officials have privately blamed the breach on Chinese government hackers, but they have avoided saying so publicly. 

US President Barack Obama has said cybersecurity will be a major focus of his talks with Xi at the White House on Friday.  

US officials have said no evidence has surfaced yet suggesting the stolen data has been abused, though they fear the theft could present counterintelligence problems.  

White House spokesman Josh Earnest said the investigation into the data breach was continuing and he did not "have any conclusions to share publicly about who may or may not have been responsible". 

Investigators only recently discovered that the additional fingerprints had been stolen as they continued to assess the data breach, OPM said in a statement. 

During that process, investigators "identified archived records containing additional fingerprint data not previously analysed," the OPM statement said. 

As a result, the estimated number of people who had fingerprint records stolen rose to 5.6 million from the 1.1 million initially reported, it said. 

OPM said the total number of people affected by the breach was still believed to be 21.5 million. 

The agency downplayed the danger posed by stolen fingerprint records, and claimed the ability to misuse the data is currently limited. But it acknowledged the threat could increase over time as technology evolves. 

"An interagency working group with expertise in this area ... will review the potential ways adversaries could misuse fingerprint data now and in the future," it said. 

The group includes members of the intelligence community as well as the FBI, Department of Homeland Security and the Pentagon. 

"If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach," OPM said. 

The individuals affected by the breach have still not been notified. The OPM statement said the personnel office and Defense Department were working together to begin mailing notifications to those affected.