"For Sale on eBay: A Military Database of Fingerprints and Iris Scans", 22 December 2022

The shoebox-shaped device, designed to capture fingerprints and perform iris scans, was listed on eBay for $149.95. A German security researcher, Matthias Marx, successfully offered $68, and when it arrived at his home in Hamburg in August, the rugged, hand-held machine contained more than what was promised in the listing.

The device’s memory card held the names, nationalities, photographs, fingerprints and iris scans of 2,632 people.

Most people in the database, which was reviewed by The New York Times, were from Afghanistan and Iraq. Many were known terrorists and wanted individuals, but others appeared to be people who had worked with the U.S. government or simply been stopped at checkpoints. Metadata on the device, called a Secure Electronic Enrollment Kit, or SEEK II, revealed that it had last been used in the summer of 2012 near Kandahar, Afghanistan.

Exactly how the device ended up going from the battlefields in Asia to an online auction site is unclear. But the data, which offers detailed descriptions of individuals in addition to their photograph and biometric data, could be enough to target people who were previously unknown to have worked with U.S. military forces should the information fall into the wrong hands.

Over the past year, Mr. Marx and a small group of researchers at the Chaos Computer Club, a European hacker association, bought six biometric capture devices on eBay... planning to analyze them to find any vulnerabilities or design flaws. They were motivated by concerns raised last year that the Taliban had seized such devices after the U.S. evacuation from Afghanistan. The group of researchers wanted to understand whether the Taliban could have gotten biometric data about people who had assisted the United States from the devices, putting them at risk.

Finding so much information sitting unencrypted and easily accessible shocked them.

Of the six devices the researchers bought on eBay... two of the SEEK II devices had sensitive data on them.

According to the Defense Logistics Agency, which handles the disposal of millions of dollars of excess Pentagon matériel each year, devices like the SEEK II and the HIIDE never should have made it to the open market... Instead, all biometric collection gear is supposed to be destroyed on site when no longer needed by military personnel, as are other electronic devices that once held sensitive operational information.

How eBay sellers obtained these devices is unclear. The device with the 2,632 profiles was sold by Rhino Trade, a surplus equipment company in Texas. The company’s treasurer, David Mendez, said it had bought the SEEK II at an auction of government equipment and did not realize a decommissioned military device would have sensitive data on it.

“I hope we didn’t do anything wrong,” he said.

The SEEK II with the American troops’ information came from Tech-Mart, an eBay seller in Ohio. Tech-Mart’s owner, Ayman Arafa, declined to say how he had acquired it, or two other devices he sold to the researchers.

An eBay spokesman said company policy prohibited the listing of electronic devices that contained personally identifiable information. “Listings that violate this policy will be removed, and users may face actions up to, and including, a permanent suspension of their account,” the spokesman said.

The sensitive data on the devices was stored on memory cards. If the cards had been removed and destroyed, this data would not have been exposed.

Ella Jakubowska, a policy adviser on biometric information at European Digital Rights, a privacy advocacy group, said the military should inform all the people whose data had been exposed.

Mr. Marx alerted the Department of Defense about the unprotected data, as well as the manufacturer of the device, HID Global. Asked for comment, HID Global said in a statement that it did not “share details about our customers or specific product implementations.”