When a German security researcher, Matthias Marx, found a United States military device for sale on eBay—an instrument previously used to identify wanted individuals and known terrorists during the War in Afghanistan—Marx gambled a little and placed a low bid of $68.
He probably didn’t expect to win, since he offered less than half the seller’s asking price, $149.95. But win he did, and after that, he had an even bigger surprise coming, The New York Times reported. When the device arrived with a memory card still inside, Marx was shocked to realize he had unwittingly purchased the names, nationalities, photographs, fingerprints, and iris scans of 2,632 people whose biometric data had allegedly been scanned by US military.
The device allegedly stored not just personal identifiable information (PII) of seemingly suspicious persons, but also of US military members, people in Afghanistan who worked with the government, and ordinary people temporarily detained at military checkpoints. Most of the data came from residents of Afghanistan and Iraq.
All of this data was supposed to be destroyed onsite, but that seemingly never happened. The failure to wipe device is consistent with the US military’s occasional failures over the past decade, which have put people who helped the US military and US military members at risk of being identified and targeted by the Taliban, The Times reported.
Currently, no one’s sure how many times the device has traded hands since it was last used in 2012 near Kandahar, Afghanistan.
Marx has shown abundant caution with the data, declining to share the database electronically with The Times. Instead, The Times sent a reporter in Germany to Marx’s location to see the data, then got in touch with at least one American who confirmed the data was likely his.
The Department of Defense (DOD) press secretary, Brigadier General Patrick S. Ryder, told The Times that they would need to review the data before confirming its authenticity.
“Because we have not reviewed the information contained on the devices, the department is not able to confirm the authenticity of the alleged data or otherwise comment on it,” Ryder told The Times. “The department requests that any devices thought to contain personally identifiable information be returned for further analysis.”
Experts told The Times that if the data is authentic, this particular breach could have fatal consequences. They recommend that the US government review the data, inform everyone impacted by the breach, and then provide asylum for anyone still based in Afghanistan.
When Marx discovered the data, he said that he contacted the DOD, but Marx told Ars that he was “alarmed” when the DOD allegedly failed to investigate or take action to protect those affected by the leak.
“We also imagined the data would be useful to investigate how the devices ended up online and to derive who else is potentially endangered,” Marx told Ars.
Marx told The Times that he found the military’s failure to delete this highly sensitive data “disturbing,” alleging that “they didn’t even try to protect the data,” and suggesting this was because “they didn’t care about the risk, or they ignored the risk.”