German researchers who bought biometric data capture devices on eBay discovered that their memory cards stored classified US military data, reports The New York Times.

These included fingerprints, iris scans, photographs, names and descriptions of individuals, mostly from Iraq and Afghanistan. Many of them worked for the US military and could become targets if the devices fell into the wrong hands.

A group of researchers called the Chaos Computer Club, led by Matthias Marx, bought six devices on eBay, most of which cost less than $200. They were prompted by report of The Intercept from 2021 that the Taliban had captured similar American military biometric devices. As such, they wanted to see if they contained identifying information of people who were helping the US military, which could put them at risk.

The results were shocking, the report said. The names, nationalities, photos, fingerprints and iris scans of 2,632 people were found on the memory card of one of the devices. Other metadata indicated that the device was used near Kandahar, Afghanistan, in the summer of 2012. Another device was used in Jordan in 2013 and contained the fingerprints and iris scans of a small group of US military personnel.

Such devices have been used to identify insurgents, screen local residents and third-country nationals who have access to US bases, and establish links between people and events, according to a 2011 manual for the devices. “It was disturbing that they [the US military] didn’t even try to protect the data,” Marx told the NY Times. “They didn’t care about the risk, or they ignored the risk.”

One device was purchased at a military auction, and the seller said he was unaware of the sensitive data. Such information was stored on a memory card, so the US military could eliminate the risk by simply deleting or destroying the cards before sale.

“Because we have not reviewed the information contained on the devices, the department is not able to confirm the authenticity of the alleged data or otherwise comment on it,” said the spokesman for the US Department of Defense, Patrick S. Ryder, in an interview to the Times. “The department requests that any devices thought to contain personally identifiable information be returned for further analysis.”

Given the sensitivity of the information, the group plans to delete any personal information found on the devices. Another researcher noted that any individuals found on such devices are not safe, even if they have changed their identity and must seek asylum from the US government.