For sale on eBay: A military database of fingerprints and iris scans

“That shouldn’t have happened,” said Mr. Baker said. “It’s a disaster for the people whose data is being exposed. In the worst case, the consequences could be fatal.”

What we consider before using anonymous sources. Do the sources know the information? What is your motivation for telling us this? Have they proven reliable in the past? Can we confirm the information? Even with those questions answered, The Times uses anonymous sources as a last resort. The reporter and at least one editor know the identity of the source.

Of the six devices the researchers bought on eBay — four SEEKs and two HIIDEs for wearable cross-agency identity recognition devices — two of the SEEK II devices contained sensitive data. The second SEEK II, whose location metadata shows it was last used in Jordan in 2013, appeared to contain the fingerprints and iris scans of a small group of US soldiers.

When reached by the Times, an American whose biometric scan was found on the device confirmed the data was likely his. He previously worked as a naval intelligence specialist and said his data, and that of all other Americans found on those devices, was most likely collected during a military training course. The man, who spoke on condition of anonymity because he still works in the intelligence field and was not authorized to speak publicly, asked for his biometric file to be deleted.

Military officials said the only reason these devices would have data on Americans is for their use during training sessions, a common practice to prepare for deployment in the field.

According to the Defense Logistics Agency, which handles the disposal of millions of dollars of surplus Pentagon material each year, devices like the SEEK II and HIIDE should never have made it onto the open market — let alone an online auction site like them Ebay. Instead, all on-site biometric capture devices are to be destroyed when they are no longer needed by military personnel, as well as other electronic devices that once contained sensitive operational information.

How eBay sellers got hold of these devices is unclear. The device with the 2,632 profiles was sold by Rhino Trade, a surplus equipment company in Texas. The company’s treasurer, David Mendez, said it bought the SEEK II at a government equipment auction, not knowing that a decommissioned military unit would contain sensitive data.

“I hope we didn’t do anything wrong,” he said.

The SEEK II with the information from the American troops came from Tech-Mart, an eBay seller in Ohio. Tech-Mart owner Ayman Arafa declined to say how he acquired it or two other devices he sold to the researchers.

Leave a Reply

Your email address will not be published. Required fields are marked *