Sensitive US military data found on eBay – NYT

27 Dec, 2022 14:53 / Updated 2 years ago
German computer enthusiasts reportedly bought gadgets containing information on 2,600 people from Iraq and Afghanistan

A German computer club purchased several biometric capture devices on eBay and found that they still contained fingerprints, iris scans, photographs and descriptions of thousands of people who interacted with the US Army in Iraq and Afghanistan, according to the New York Times.

Inspired by a 2021 article on the Taliban seizing similar biometric devices following the US withdrawal from Afghanistan, Matthias Marx and members of the Chaos Computer Club in Berlin purchased six such devices on eBay, the newspaper reported on Tuesday. 

One of these machines – a Secure Electronic Enrollment Kit (SEEK II) that cost Marx $68 – contained scans taken at detention facilities, on patrols, following a roadside bomb attack, and on local staff. The device had last been used near the Afghan city of Kandahar in 2012, and most of the individuals whose data it contained were from Iraq and Afghanistan. Several were considered terrorists by the US.

The SEEK II is a shoebox-sized device, capable of recording fingerprints, iris scans, and photographs. It stores this data on a memory card, allowing soldiers to compile biometric information while on the move and upload it later to a military database.

Had the US military simply removed the device’s memory card, Marx and his team would not have been able to see the personal information of the 2,632 people.

“It was disturbing that they didn’t even try to protect the data,” Marx told the Times. “They didn’t care about the risk, or they ignored the risk.”

After the US withdrew its forces from Afghanistan last August, the Taliban reportedly carried out a wave of reprisal killings. According to Human Rights Watch, the militants targeted, among others, locals who worked for the US-backed Afghan military. The Taliban leadership rejected Human Rights Watch’s claims, describing them as “slander against the Islamic Emirate of Afghanistan.”

A second SEEK II, last used in Jordan in 2013, contained the fingerprints and scans of “a small group of US service members,” the Times stated, noting that according to the US military, this information would have been stored during a training session.

The Pentagon said that it is “not able to confirm the authenticity of the alleged data,” and called on the Chaos Computer Club to return the devices to the US. Marx told the Times that he plans on deleting the data after presenting his findings at a hacker event in Berlin this week.