Curt Flewelling, FISM News
A German security researcher certainly got more than he bargained for when he bid a mere $68 for a used military biometric scanning device on eBay. Upon inspection, Matthias Marx of Hamburg, Germany soon realized that the device arrived with the memory card still inside.
Marx belongs to a European hacker association called the Chaos Computer Club (CCC). The group was concerned about reports documenting the Taliban’s seizure of U.S. military devices that might contain the identities of Afghans who assisted U.S. forces during the war in Afghanistan.
The group purchased six devices off eBay, four Secure Electronic Enrollment Kits (SEEK II) and two Handheld Interagency Identity Detection Equipment (HIIDE) devices. CCC found sensitive data on two of the SEEK IIs. One device contained personal information on 2,632 individuals. The other device contained fingerprints and iris scans of U.S. service members.
The highly sensitive data should have been destroyed years ago and could very well be putting U.S. military members and Afghans willing to help the U.S. in mortal danger.
The Department of Defense (DOD) press secretary, Brigadier General Patrick S. Ryder, told the New York Times, “Because we have not reviewed the information contained on the devices, the department is not able to confirm the authenticity of the alleged data or otherwise comment on it.”
He went on to say, “The department requests that any devices thought to contain personally identifiable information be returned for further analyses.”
Thankfully, Marx appears to be proceeding in a very thoughtful and cautious manner as he has refused to share the data with media outlets and immediately contacted DOD for guidance. However, their somewhat cavalier response was “alarming” to the young security researcher.
Marx alleges that DOD failed to investigate or take action to protect those affected by the leak. He told the New York Times, “I find the military’s failure to delete this highly sensitive data ‘disturbing,’ they didn’t even try to protect the data.” He further suggested it was because “they didn’t even care about the risk, or they ignored the risk.”
The saga unfortunately continues as the DOD will not contact CCC directly to verify the authenticity of the data and securely dispose of the device. Instead, DOD has provided the news publisher ARS Technica with an address to be shared with CCC, so they can send the device back for analysis.
Marx informed ARS that he will not send the device to an unverifiable address and continues to request that the DOD contact them directly. Marx told ARS, “Sadly, nobody seems to assume any responsibility, let alone make any effort to protect those affected, we will hence delete the data — which is already more safe than it was before-shortly.”