EBay sold biometric devices with data of U.S. troops, Afghan allies, report
Much of the information was apparently easily accessible and unencrypted.
A German security researcher bought a device that he purchased on eBay to capture biometric data, but when he received the equipment, he reportedly discovered it also contained the sensitive personal information of more than 2,600 people, including U.S. service members and Afghan allies.
The device used to perform iris scans and capture fingerprints was listed on eBay for $149.95. Hamburg-based researcher Matthias Marx successfully bid $68 and received the machine in August, The New York Times reported Tuesday.
The device, a Secure Electronic Enrollment Kit, or SEEK II, had last been used near Kandahar, Afghanistan, in the summer of 2012, and Marx found its memory card contained the names, pictures, nationalities, iris scans and fingerprints of 2,632 individuals, mostly of known terrorists.
Marx and other researchers at the Chaos Computer Club, a European hacking group, used the auction website to purchase six biometric capturing devices to study for design flaws. Their mission started after the U.S. withdrawal from Afghanistan in August 2021 over concerns that the Taliban may have seized similar sensitive equipment.
It is unclear how the devices went from Afghanistan to eBay, but sensitive biometric data reportedly appeared on two of the machines the group purchased.
Much of the information was apparently easily accessible and unencrypted.
"It was disturbing that they didn’t even try to protect the data," Marx said about the U.S. military. "They didn’t care about the risk, or they ignored the risk."
Rhino Trade, Texas-based surplus company, sold the device with the 2,632 profiles. David Mendez, the company's treasurer, said Rino Trade purchased the SEEK II at an auction without realizing there was sensitive equipment on it.
The other device with sensitive information came from eBay seller Ayman Arafa, who declined to talk about how he obtained the equipment.
"The irresponsible handling of this high-risk technology is unbelievable," Marx said. "It is incomprehensible to us that the manufacturer and former military users do not care that used devices with sensitive data are being hawked online."
An eBay spokesperson said the company prohibits selling devices with personal identification information.
Defense Department press secretary Brig. Gen. Patrick S. Ryder said: "Because we have not reviewed the information contained on the devices, the department is not able to confirm the authenticity of the alleged data or otherwise comment on it." He urged for any devices with personal data to be returned to his agency.