“This should not have happened,” Mr. Baker said. “It is a disaster for the people whose data is exposed. In the worst cases, the consequences could be fatal.”
Of the six devices the researchers bought on eBay — four SEEKs and two HIIDEs, for Handheld Interagency Identity Detection Equipment — two of the SEEK II devices had sensitive data on them. The second SEEK II, with location metadata showing it was last used in Jordan in 2013, appeared to contain the fingerprints and iris scans of a small group of U.S. service members.
When reached by The Times, one American whose biometric scan was found on the device confirmed that the data was likely his. He previously served as a Marine intelligence specialist and said his data, and that of any other American found on these devices, was most likely collected during a military training course. The man, who spoke on the condition of anonymity because he still works in the intelligence field and was not authorized to speak publicly, asked that his biometric file be deleted.
Military officials said the only reason these devices would have data on Americans would be their use during training sessions, a common practice to prepare for employing them in the field.
According to the Defense Logistics Agency, which handles the disposal of millions of dollars of excess Pentagon matériel each year, devices like the SEEK II and the HIIDE never should have made it to the open market — much less an online auction site like eBay. Instead, all biometric collection gear is supposed to be destroyed on site when no longer needed by military personnel, as are other electronic devices that once held sensitive operational information.
How eBay sellers obtained these devices is unclear. The device with the 2,632 profiles was sold by Rhino Trade, a surplus equipment company in Texas. The company’s treasurer, David Mendez, said it had bought the SEEK II at an auction of government equipment and did not realize a decommissioned military device would have sensitive data on it.
“I hope we didn’t do anything wrong,” he said.
The SEEK II with the American troops’ information came from Tech-Mart, an eBay seller in Ohio. Tech-Mart’s owner, Ayman Arafa, declined to say how he had acquired it, or two other devices he sold to the researchers.