First, they could be used to sniff out individuals operating in a foreign country under false identities. Imagine that you, an American spy, travel to Hackistan ostensibly to work as the ambassador’s dog walker. The Hackistani government grabs your fingerprints when you arrive in the country. But now, after their successful hack, they can check yours against the prints in the stolen OPM database. They find that your prints are a partial match with the prints of a contractor who worked for the U.S. Department of Defense a decade ago. Uh oh. “Hmm, maybe this isn’t really a dog walker after all,” the Hackistanis might think. “Let’s look a bit more closely at this guy.”

Second, Berke said, the prints may help in creating new, assumed identities for the thieves or their associates. Foreign operatives could do this “by replacing the fingerprint data of legitimate employees with the fingerprints of a person who wishes to assume that identity,” Berke wrote in an email. Typically, the OPM would be able to track changes made to the personnel database. But in this case, the hackers had administrative access, and it’s impossible for OPM now to know if changes were made.

Third, the prints could be used, in combination with some of the other stolen data like names and Social Security numbers, as further identity authentication.