HR departments often get a bad rep. But in the case of the Office of Personnel Management (OPM), the federal government’s HR office, that reputation seems well deserved.

This week, OPM admitted that five times as many fingerprints were stolen during recent security breaches. They thought that 1.1 million government workers had their fingerprints stolen from cyberattacks, but that figure is actually 5.6 million.

We add that to the 22.1 million former, current, and prospective government employees, contractors, and others whose social security numbers, addresses, and other personal information was ripped off, and we get an even clearer picture of just how much worse the biggest data breach in U.S. history continues to be. However, according to OPM, the fingerprint victims do not impact the overall number of individuals whose data was exposed.

The breach occurred back in December 2014, but it took six months for OPM to make it public and the entire summer for the Obama Administration to continue to leak out revised numbers on the breadth of this hack.

The fingerprints could be used for any number of sinister plans such as uncovering the identities of those working undercover in foreign countries. As the one blog explains, Hollywood’s imagination of stolen identities in the world of U.S. espionage could come to life:

[Fingerprints] could be used to sniff out individuals operating in a foreign country under false identities. Imagine that you, an American spy, travel to Hackistan ostensibly to work as the ambassador’s dog walker. The Hackistani government grabs your fingerprints when you arrive in the country. But now, after their successful hack, they can check yours against the prints in the stolen OPM database. They find that your prints are a partial match with the prints of a contractor who worked for the U.S. Department of Defense a decade ago. Uh oh.

Fingerprints aren’t the same as social security numbers and other information; they are a unique marker that can’t be changed or reissued – making the implications of these hacks disconcerting. The Washington Post explains:

Unlike passwords and even Social Security numbers, fingerprints cannot be changed. So those affected by this breach may find themselves grappling with the fallout for years.

“The fact that the number [of fingerprints breached] just increased by a factor of five is pretty mind-boggling,” said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy & Technology. “I’m surprised they didn't have structures in place to determine the number of fingerprints compromised earlier during the investigation.”

Lawmakers, too, were upset about the latest revelation. "OPM keeps getting it wrong," said Rep. Jason Chaffetz (R-Utah). "I have zero confidence in OPM’s competence and ability to manage this crisis."

OPM’s response is probably just as concerning: sticking their heads in the sand. The Hill reports:

Citing federal experts, OPM assured breach victims that “as of now, the ability to misuse fingerprint data is limited,” but that “this probability could change over time as technology evolves.”

An interagency working group including members from the FBI, the Department of Homeland Security, the Department of Defense (DOD) and other intelligence community members are studying how cyber criminals could potentially exploit the data.

“If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach,” a spokesman said in a release.

Oh that’s comforting for the millions of people affected – which is about the size of Atlanta.

As we’ve reported, OPM has been contacting those who may have been victims and offering free identity theft and fraud protection services. The Department of Defense is hiring an identity-theft-protection-services company to monitor the hacked data, but that contract was awarded a measly two months after the breach was revealed. This means some victims may not learn their security and identify is at risk until November. That’s plenty of lead time for hackers to do serious damage to your identity while you’re totally unaware. What a nice way to kick off the holiday season!

OPM’s incompetence is on full display. Sadly, they are far from the only federal agency that carelessly neglects to make security of our private information a priority. The IRS and Health and Human Services ObamaCare repository are two more that come to mind.