Military device with biometric database of 2,000 people sold on eBay for $68
Military device with biometric database of 2,000 people sold on eBay for $68
Enlarge / A US ISAF soldier from Task Force Geronimo Apache Team, US Army 4th Delaware Platoon collects biometric information from an Afghan villager in the village of Mans Kalay in Sabari, Khost district on August 4, 2012.
Jose Cabezas/Getty Images
When a German security researcher, Matthias Marx, found an American military device for sale on eBay - an instrument previously used to identify wanted individuals and known terrorists during the war in Afghanistan - Marx played around a bit and placed a low bid of $68.
He probably didn't expect to win, since he offered less than half the seller's asking price of $149.95. But he won, and after that he was in for an even bigger surprise, The New York Times reported. When the device arrived with a memory card still inside, Marx was shocked to realize he had unwittingly purchased the names, nationalities, photographs, fingerprints and iris scans of 2,632 people whose data biometrics would have been scanned by the US military.
The device allegedly stored not only personally identifiable information (PII) of apparently suspicious people, but also members of the US military, people in Afghanistan who worked with the government, and ordinary people temporarily detained at points military control. Most of the data came from residents of Afghanistan and Iraq.
All of this data was supposed to be destroyed on the spot, but that apparently never happened. The failure to erase the device is consistent with occasional U.S. military failures over the past decade that have exposed those who assist the U.S. military and members of the U.S. military to the risk of being identified and targeted by the Taliban, the Times reported.
Currently, no one knows how many times the device has changed hands since it was last used in 2012 near Kandahar, Afghanistan.
Marx exercised great caution with the data, refusing to share the database electronically with the Times. Instead, the Times sent a reporter to Germany to Marx's site to view the data, then contacted at least one American who confirmed the data was likely his.
Department of Defense (DOD) press secretary Brigadier General Patrick S. Ryder told The Times that they should review the data before confirming its authenticity.
"Because we have not reviewed the information contained on the devices, the department is unable to confirm the authenticity of the alleged data or otherwise comment on it," Ryder told The Times. "The department requests that any device that may contain personally identifiable information be returned for further analysis."
Experts told The Times that if the data is authentic, this particular breach could have fatal consequences. They recommend that the US government review the data, notify everyone affected by the breach, and then grant asylum to anyone still based in Afghanistan.
When Marx discovered the data, he said he contacted the DOD, but Marx told Ars he was "alarmed" when the DOD allegedly failed to investigate or take action to protect those affected by it. the leak.
"We also imagined the data would be useful for investigating how the devices ended up online and determining who else is potentially at risk," Marx told Ars.
Marx told The Times that he found the military's failure to delete this highly sensitive data "disturbing", alleging that "they didn't even try to protect the data", and suggesting that it was because “they didn't care about the risk, or they ignored the risk.”
Buy military devices on eBay
Marx belongs to a European hacker association called Chaos Computer Club (CCC). He told The Times that the CCC was alarmed by reports documenting the Taliban's seizure of US military aircraft after the US evacuation from Afghanistan. Last year, The Intercept reported that the Taliban's goal was to identify Afghans assisting enemy forces.
Wanting to learn more about these security risks, CCC turned to eBay, where they purchased six devices, the Times reported. Of the four Secure Electronic Registration Kits (S...
Enlarge / A US ISAF soldier from Task Force Geronimo Apache Team, US Army 4th Delaware Platoon collects biometric information from an Afghan villager in the village of Mans Kalay in Sabari, Khost district on August 4, 2012.
Jose Cabezas/Getty Images
When a German security researcher, Matthias Marx, found an American military device for sale on eBay - an instrument previously used to identify wanted individuals and known terrorists during the war in Afghanistan - Marx played around a bit and placed a low bid of $68.
He probably didn't expect to win, since he offered less than half the seller's asking price of $149.95. But he won, and after that he was in for an even bigger surprise, The New York Times reported. When the device arrived with a memory card still inside, Marx was shocked to realize he had unwittingly purchased the names, nationalities, photographs, fingerprints and iris scans of 2,632 people whose data biometrics would have been scanned by the US military.
The device allegedly stored not only personally identifiable information (PII) of apparently suspicious people, but also members of the US military, people in Afghanistan who worked with the government, and ordinary people temporarily detained at points military control. Most of the data came from residents of Afghanistan and Iraq.
All of this data was supposed to be destroyed on the spot, but that apparently never happened. The failure to erase the device is consistent with occasional U.S. military failures over the past decade that have exposed those who assist the U.S. military and members of the U.S. military to the risk of being identified and targeted by the Taliban, the Times reported.
Currently, no one knows how many times the device has changed hands since it was last used in 2012 near Kandahar, Afghanistan.
Marx exercised great caution with the data, refusing to share the database electronically with the Times. Instead, the Times sent a reporter to Germany to Marx's site to view the data, then contacted at least one American who confirmed the data was likely his.
Department of Defense (DOD) press secretary Brigadier General Patrick S. Ryder told The Times that they should review the data before confirming its authenticity.
"Because we have not reviewed the information contained on the devices, the department is unable to confirm the authenticity of the alleged data or otherwise comment on it," Ryder told The Times. "The department requests that any device that may contain personally identifiable information be returned for further analysis."
Experts told The Times that if the data is authentic, this particular breach could have fatal consequences. They recommend that the US government review the data, notify everyone affected by the breach, and then grant asylum to anyone still based in Afghanistan.
When Marx discovered the data, he said he contacted the DOD, but Marx told Ars he was "alarmed" when the DOD allegedly failed to investigate or take action to protect those affected by it. the leak.
"We also imagined the data would be useful for investigating how the devices ended up online and determining who else is potentially at risk," Marx told Ars.
Marx told The Times that he found the military's failure to delete this highly sensitive data "disturbing", alleging that "they didn't even try to protect the data", and suggesting that it was because “they didn't care about the risk, or they ignored the risk.”
Buy military devices on eBay
Marx belongs to a European hacker association called Chaos Computer Club (CCC). He told The Times that the CCC was alarmed by reports documenting the Taliban's seizure of US military aircraft after the US evacuation from Afghanistan. Last year, The Intercept reported that the Taliban's goal was to identify Afghans assisting enemy forces.
Wanting to learn more about these security risks, CCC turned to eBay, where they purchased six devices, the Times reported. Of the four Secure Electronic Registration Kits (S...
Enlarge / A US ISAF soldier from Task Force Geronimo Apache Team, US Army 4th Delaware Platoon collects biometric information from an Afghan villager in the village of Mans Kalay in Sabari, Khost district on August 4, 2012.
Jose Cabezas/Getty Images
