Military devices with biometric data on thousands of people, including Americans, are being sold to the highest bidder on eBay, putting troops and their helpers at risk and raising questions about why the data isn’t better-protected.
U.S. troops used the handheld “biometric capture” devices to collect fingerprints, iris scans, and other data that could identify people in foreign countries. Now, some of those devices are being put up for public auction, complete with biometric data collected on the battlefield, the New York Times reported.
“It is a disaster for the people whose data is exposed,” said Stewart Baker, a former national security official. “In the worst cases, the consequences could be fatal.”
The devices emerged in a broader post-9/11 program to collect biometric data, according to the Times. But data collected during the War on Terror lives on in their memory cards, spurring previous fears that the Taliban could use them to hunt collaborators after the U.S. withdrawal, as reported by The Intercept.
Six of the devices made it onto eBay, where they were purchased over the past year by European hackers concerned about their security.
One of the devices – called a SEEK II, short for Secure Electronic Enrollment Kit – had photographs, names, nationalities and biometric data for 2,632 people, mostly from Afghanistan and Iraq. Last used in 2012 near Kandahar, Afghanistan, it was sold by a Texas surplus company, whose treasurer said it had come from an auction of government equipment.
Another SEEK II last used in Jordan in 2013 had fingerprints and iris scans on a small group of U.S. troops. It was bought from an Ohio-based eBay reseller, who declined to reveal its origin or that of two other devices he sold. Military officials told the Times that troops would only have given data while being trained on how to use the device.
“It was disturbing that they didn’t even try to protect the data,” Matthias Marx, one of the hackers, said of the U.S. military. “They didn’t care about the risk, or they ignored the risk.”
According to the Defense Logistics Agency, all biometric gear is meant to be destroyed on-site once it’s no longer needed. An eBay spokesman said sellers had violated site policy by selling the devices, and a Defense Department spokesman asked that such devices be turned in to the biometrics program manager at Virginia’s Fort Belvoir.
The European hacker group, called Chaos Computer Club, plans on deleting personal data from the devices after analyzing them for vulnerabilities, the Times reported.