German researchers who purchased biometric capture devices on eBay found sensitive US military data stored on their memory cards, The New York Times has reported. That included fingerprints, iris scans, photographs, names and descriptions of the individuals, mostly from Iraq and Afghanistan. Many worked with the US army and could be targeted if the devices fell into the wrong hands, according to the report.

A group of researchers called the Chaos Computer Club, led by Matthias Marx, bought six of the devices on eBay, most for under $200. They were spurred by a 2021 report from The Intercept that the Taliban had seized similar US military biometric devices. As such, they wanted to see if they contained identifying data on people who assisted the US Military that could put them at risk.

They were “shocked” by the results, according to the report. On the memory card of one device, they found the names, nationalities, photographs, fingerprints and iris scans of 2,632 people. Other metadata showed it had been used near Kandahar, Afghanistan in the summer of 2012. Another device was used in Jordan in 2013 and contained the fingerprints and iris scans of a small group of US military personnel. 

Such devices were used to identify insurgents, verify local and third-country nationals accessing US bases and link people to events, according to a 2011 guide to the devices. “It was disturbing that [the US military] didn’t even try to protect the data,” Marx told the NY Times. “They didn’t care about the risk, or they ignored the risk.

One device was purchased at a military auction, and the seller said they were not aware that it contained sensitive data. The sensitive information was stored on a memory card, so the US military could have eliminated the risk by simply removing or destroying the cards before selling them.

“Because we have not reviewed the information contained on the devices, the department is not able to confirm the authenticity of the alleged data or otherwise comment on it,” Defense Department press secretary Brig. Gen. Patrick S. Ryder told the Times. “The department requests that any devices thought to contain personally identifiable information be returned for further analysis.”

Given the sensitivity of the information, the group plans to delete any personally identifiable information found on the devices. Another researcher noted that any individuals found on such devices aren’t safe even if they changed their identities, and should be given asylum by the US government.