A group of hackers bought biometric capture devices on eBay to see if they would find biometric data on people who assisted the U.S. military, and that's exactly what they found, according to Yahoo News.
When a group called the Chaos Computer Club, also known as the CCC (the self-described "largest association of hackers" in Europe), read a 2021 story from the Intercept about the Taliban seizing U.S. biometric devices, they wanted to see how easy it was to obtain the data or whether it existed.
The devices, called Handheld Interagency Identity Detection Equipment (HIIDE), were "used as a biometric ID tool to help ID locals working for the coalition," a military contractor explained to the Intercept.
When the CCC found the devices listed on eBay, the group bought six, most of which were under 200 euros. On one device purchased for just $68 were the names, nationalities, photographs, fingerprints, and iris scans of 2,632 people. Most of the people identified on the device's memory card were from Afghanistan and Iraq, according to the New York Times.
Another device used in Jordan in 2013 contained fingerprints and iris scans of U.S. soldiers. The New York Times confirmed with one of the people whose data was on the machine that it was likely his, a Marine intelligence specialist who said his data was likely collected during a training course.
Yet another device obtained legally, called a Secure Electronic Enrollment Kit (SEEK II), contained data that was collected from "detainment facilities, on patrols, during screenings of local hires and after the explosion of an improvised bomb."
"It was disturbing that they didn’t even try to protect the data," said one of the buyers, called Matthias Marx, regarding the lack of encryption on the files.
“They didn’t care about the risk, or they ignored the risk,” he continued.
The Defense Department of course recommends that any or all devices containing such sensitive data be returned to authorities.
“Because we have not reviewed the information contained on the devices, the department is not able to confirm the authenticity of the alleged data or otherwise comment on it,” said Brigadier General Patrick S. Ryder, press secretary for the Defense Department.
After analyzing the data and presenting the findings at a German hacking event, per the New York Times, the group says it will delete all the sensitive data.