The number of people applying for or receiving security clearances whose fingerprint images were stolen in one of the worst government data breaches is now believed to be 5.6 million, not 1.1 million as first thought, the Office of Personnel Management (OPM) announced Wednesday.
The agency was the victim of what the U.S. believes was a Chinese espionage operation that affected an estimated 21.5 million current and former federal employees or job applicants. The theft could give Chinese intelligence a huge leg up in recruiting informants inside the U.S. government, experts believe. It also could help the Chinese identify U.S. spies abroad, according to American officials.
The White House has said it's going to discuss cybersecurity with Chinese President Xi Jinping when he visits President Barack Obama later this week.
The Obama administration has not publicly blamed China or taken any public action in retaliation for the hack. Intelligence officials have called the data a fair intelligence target, one the U.S. would pursue if it had the chance.
OPM says the ability of an adversary to misuse fingerprint data is limited, though an agency statement acknowledged that "this probability could change over time as technology evolves."
For American intelligence agencies, the notion that the Chinese have fingerprints on millions of federal security clearance holders, some of whom may be intelligence officers overseas, is troubling. Any intelligence officer whose prints have been taken would face great risk in operating under an alias because those prints would give away someone's true identity.
OPM spokesman Samuel Schumach said in the statement that the agency identified the "additional fingerprint data not previously analyzed" while working with the Department of Defense. Mike Rogers, the director of the Pentagon's National Security Agency, has said his agency was brought in to help.
Republicans accused the administration of putting out the update at a time when Washington was preoccupied with the pope's visit.
"Today's blatant news dump is the clearest sign yet that the administration still acts like the OPM hack is a PR crisis instead of a national security threat," said Republican Sen. Ben Sasse of Nebraska, a member of the Senate Homeland Security and Governmental Affairs Committee.
In response, Schumach said the agency only "very recently" learned of the new fingerprint data, and confirmed the final number Wednesday morning.
The OPM hack exposed the state of federal cybersecurity and cost the agency director her job. Intelligence officials say the full extent of damage will play out over years and may never be visible to the public.
The stolen records included detailed biographical forms that federal employees must fill out to obtain security clearances, and they would have provided identifying information about friends and family in the U.S. and overseas. That kind of information would give the Chinese vast new opportunities to target people for recruitment, a process that can take years of intelligence-gathering. It also could allow the Chinese to pinpoint American intelligence officers abroad, given that CIA case officers are not in the database unless they held a previous government job.
Jim Lewis, who has advised the government on cyber security for more than a decade, told CBS News correspondent Jeff Pegues earlier this year that China is engaging in cyber attacks to gather intelligence.
"They are collecting huge amounts of data and they are mining it to see if they can find interesting patterns to get a sense of who their opponents are," Lewis said.
Experts say the attack on OPM bears similarities to earlier attacks against health care companies Anthem Blue Cross and Premera. All of the hacks appear aimed at personnel records, not financial information.
In wake of the high profile attacks, the FBI has stepped up the recruitment and training of new agents in cyber crime, the "CBS Evening News" reported.