Military devices with the biometric data of thousands of people, including Americans, are being sold to the highest bidder on eBay, putting troops and their helpers at risk and raising questions about why the data isn’t better protected.
US troops used hand-held “biometric capture” devices to collect fingerprints, iris scans and other data that could identify people in foreign countries. Now, some of those devices are being put up for public auction, with biometric data collected on the battlefield, the New York Times reported.
“It’s a disaster for people whose data is exposed,” said Stewart Baker, a former national security official. “In the worst case, the consequences could be fatal.”
According to the Times, the devices emerged as part of a broader post-9/11 program to collect biometric data. But data collected during the War on Terror remains on their memory cards, prompting earlier fears that the Taliban could use them to hunt down collaborators after the U.S. pulls out, The Intercept reports.
Six of the devices ended up on eBay, where they were bought over the past year by European hackers concerned about their security.
One of the devices, called SEEK II, short for Secure Electronic Enrollment Kit, had photographs, names, nationalities and biometric data for 2,632 people, mostly from Afghanistan and Iraq. Last used in 2012 near Kandahar, Afghanistan, it was sold by a surplus company in Texas, whose treasurer said it came from a government equipment auction.
Another SEEK II last used in Jordan in 2013 had fingerprints and iris scans on a small group of US troops. It was purchased from an Ohio-based eBay seller, who declined to disclose its origin or that of two other devices he sold. Military officials told the Times that the troops would only have given data while training on how to use the device.
“It was disturbing that they didn’t even try to protect the data,” Matthias Marx, one of the hackers, said of the US military. “They didn’t care about the risk, or they were ignorant of the risk.”
According to the Defense Logistics Agency, all biometric equipment must be destroyed on site when no longer needed. An eBay spokesman said the sellers had violated the site’s policy by selling the devices, and a Department of Defense spokesman asked that the devices be turned over to the biometrics program manager at Fort Belvoir in Virginia.
The European hacker group, called the Chaos Computer Club, plans to delete personal data from the devices after scanning them for vulnerabilities, the Times reported.