WASHINGTON — Just a day before the arrival of President Xi Jinpinghere for a meeting with President Obama that will be focused heavily on limiting cyberespionage, the Office of Personnel Management said Wednesday that the hackers who stole security dossiers from the agency also got the fingerprints of 5.6 million federal employees.
The attack on the agency, which is the main custodian of the government’s most important personnel records, has been attributed to China by American intelligence agencies, but it is unclear exactly what group or organization engineered it. Before Wednesday, the agency had said that it lost only 1.1 million sets of fingerprints among the records of roughly 22 million individuals that were compromised.
“Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” the agency said in a written statement. But clearly the uses are growing as biometrics are used more frequently to assure identity, in secure government facilities and even on personal iPhones.
The working assumption of investigators is that China is building a huge database of information about American officials or contractors who may end up entering China or doing business with it. Fingerprints could become a significant part of that effort: While a Social Security number or a password can be changed, fingerprints cannot.
Customs and immigration officials frequently fingerprint incoming travelers; millions of fingerprints in a Chinese database would help track the true identities of Americans entering the country.
“I am assuming there will be people we simply can’t send to China,” a senior intelligence official said this summer, before the most recent revelation. “That’s only part of the damage.”
The agency said that an “interagency working group,” with help from the F.B.I., the Department of Homeland Security and the intelligence agencies, “will review the potential ways adversaries could misuse fingerprint data now and in the future.”
One of the biggest concerns about the breach of personnel records has been that China, or any other states given access to the data, could use it to identify intelligence agents, defense personnel or government contractors. Other data on the forms that were obtained, about matters as varied as bankruptcies and personal and sexual relationships, could be used for blackmail.
Democratic and Republican lawmakers have been unsparing in their criticism of the personnel agency’s handling of the data breach and its aftermath — and its habit of periodically revising upward the amount of information that was lost. Government officials have not been able to explain publicly why it took more than a year to discover that information was leaving its systems at a tremendous rate.
Senator Mark Warner, Democrat of Virginia, said in a statement on Wednesday that “the massive new number of employees’ fingerprints that was breached is shocking.” He continued, “And it does little to instill confidence in O.P.M. that it took them so long to detect that the number was so much larger than originally thought.”
He called for “lifetime identity protection coverage” for the affected employees and contractors. But that assumes there was a financial motive to the theft; officials say it seems more likely that it was a national security motive.
In testimony to a House committee recently, the director of the National Security Agency, Adm. Michael S. Rogers, said it had seen no evidence that the data lifted from the O.P.M. over more than a year had been used for any financial purpose, like gaining access to bank accounts or credit cards.
During Mr. Xi’s visit to Washington, he and Mr. Obama are expected to announce, at a minimum, that they are working on a set of rules for cyberspace that would amount to a first effort at a digital arms control agreement. But that would not cover traditional espionage, which both sides conduct against each other. So the theft of personnel files, which the administration has never publicly blamed on China, would not be covered.
In fact, the director of national intelligence, James R. Clapper Jr., said over the summer that if the United States had the opportunity to steal that much data about an adversary, it would probably try to do it. And testifying to Congress alongside Admiral Rogers recently, he pushed back at members of Congress who called the breach at O.P.M. an “attack.” Instead, he suggested, it was ordinary espionage.
But despite those public statements, several officials have said in background briefings that the scale of the breach was so vast that it might require some kind of government response. Hackers did not just get the data on federal employees, but also on job applicants, contractors and many others who have been subjected to government background checks.
“It was so big,” one senior intelligence official said, “that we have to ask the question of whether the scope of it changed the nature of the theft.”
Although Mr. Obama has hinted at sanctions against China, largely for intellectual property theft, the administration has decided to put off the decision until after Mr. Xi’s visit.
Ahead of the meeting with Mr. Xi, administration officials have been coy about what form, and how extensive, any effort to come up with common rules for cyberspace may take. “I don’t want to suggest that we reached an arms control agreement here,” Benjamin J. Rhodes, a deputy national security adviser, said on Tuesday in a briefing to reporters about Mr. Xi’s visit.
“But I do want to suggest that ultimately the goal here is we start from a common understanding that you have agreed-upon principles which we believe must include that cybertheft does not go forward. And then as the two largest economies in the world, I think we can lead an effort to develop international norms that govern cyberactivity.”
But he emphasized that America’s main concern was the theft of intellectual property that is used by an adversary for commercial purposes. The breach does not fit into that category, and Mr. Obama has not said exactly how he would respond to it.