The scariest part of the massive hack at the Office of Personnel Management may not be the breach of Social Security numbers or employment information.
Instead, it could be something closer to home — in fact, just on the tip of your fingers: The breach exposed more than 1 million fingerprints to hackers. And unlike an address or even a Social Security number, those fingerprints can't be changed.
"Fingerprints can be very convenient because a password is something you know, but a fingerprint is something you are," said Alvaro Bedoya, executive director of the Center on Privacy & Technology at Georgetown Law.
Fingerprints are a key element of biometric data — used for everything from background checks and border crossings to unlocking smartphones. Some secure workplaces even use to them to verify employees identities.
They're often thought of as a more secure way to prove identities than passwords. But unlike a password, your fingerprint isn't a secret: You leave them on everything you touch. That means fingerprints are most effective, and potentially more dangerous, when paired with the other data compromised in the OPM breach, said Bedoya.
The government has remained quiet about who it thinks was behind the breach, but many suspect it is part of an attempt by China to build a massive database on Americans. And if that's the case, a foreign government has access to a permanent way to identify a lot of people who applied for security clearances — although likely not the most covert of spies at the CIA, because that agency keeps its records in a separate system.
It remains unclear exactly how the hackers might use the prints or what exact format they were stored in. That is a key question for Bedoya, who says that if the prints were complete and high quality, there could be "some acutely negative long-term consequences for individuals affected and their future use of fingerprints to verify their identities."
An FBI spokesperson said the agency was unable to comment on the specific format of the fingerprint data due to the ongoing investigation into the breach.
Asked about the fingerprint breach, OPM spokesperson Samuel Schumach said affected individuals will be contacted once the agency finalizes its notification process. “Right now, OPM continues to work with the Department of Defense on an appropriate process and selection of a vendor for notification,” he said.