German Researchers who were conducting a study on security managed to find an old U.S. military device on eBay containing the biometric data of 2,632 people, it was reported today.
According to the New York Times, which first reported the story, the researchers were taken aback when they discovered what they’d got for their $68. That was a SEEK II device, a biometric data collection system that the U.S. started using after the September 2001 attacks. The device is capable of storing photographs, recording thumbprints, and recording iris scans, all useful when you’re tracking suspected terrorists or identifying people who turn up at bases or crossing certain borders in Afghanistan and Iraq.
That’s exactly what the researchers found, seeing that the device had last been used in 2012 close to Kandahar, Afghanistan. What’s worrying is that the data still in the device was not encrypted and was only protected by a default password. Some of the information in there belonged to known terrorists, people of concern, and employees of the U.S. government. Some other data belonged to people who’d just been stopped at the border.
“We were able to read, copy and analyze them without any difficulty,” said the researchers in a blog post. Elsewhere in the post, they referenced an article from 2007 that warned if such devices “end up in the wrong hands,” they can help the wrong people to create a “hit list.”
The researchers went on, saying getting to the “highly sensitive” data was so easy it was “downright boring.” They said they contacted the German authorities and told them that “used devices with highly sensitive data can easily be ordered on the Internet.” They added, “However, no one seems to care about the data leak.”
The German Bundeswehr (armed forces) at least acknowledged that they had received the information, but it seems nothing was done after that. The researchers waited a month and then returned to eBay and bought another similar device loaded with sensitive data. They called the fact they could do this “incomprehensible” and “unbelievable.” It goes without saying that anyone with such a device can look for U.S. names and either exploit that data somehow or at least track the person down.
The Times spoke with the U.S. Defense Department’s press secretary, Brig. Gen. Patrick S. Ryder, who said he couldn’t comment on the matter until U.S. analysts had seen the devices and authenticated them. “The department requests that any devices thought to contain personally identifiable information be returned for further analysis,” he said.