Matthias Marx, a German security researcher, spotted an eBay auction for a biometric scanner tied to the U.S. military and decided to bid $68, which was about 50% of the almost $150 asking price. He ended up with the winning bid and never expected it to have a hidden surprise.
The SEEK II was used to ID terrorists and wanted individuals during the War in Afghanistan. As Taliban agents were getting into Afghan army bases, the devices were being used to heighten the safety of the troops. The SEEK II included a keyboard, miniature screen mousepad, thumbprint reader, and iris scanner in one package. Its last known use was just over ten years ago in Kandahar. How it ended up on eBay is anyone’s best guess.
Marx is part of the Chaos Computer Club, a hacker association that spends time looking for security and design flaws. The group purchased a total of six biometric devices (four SEEK II and two Handheld Interagency Identity Detection Equipment (HIIDE) after hearing that the Taliban had taken possession of devices when the U.S. evacuated Afghanistan in 2022. The rumor was the Taliban was looking for information on people who had helped the U.S. military.
Sensitive Data Was Found on Several Devices
What Marx didn’t expect was for one of the SEEK II devices to arrive and still have a memory card within it. On that card were fingerprints, iris scans, and PII for more than 2,600 people.
A second SEEK II also contained fingerprints of U.S. military members. That eBay seller refused to say how the three devices sold to the group had come into the seller’s possession.
It’s uncertain how many people have had the devices in their possession in the years since they were last used. Marx has been keeping the information away from the media, and, instead, he reached out to the Department of Defense, which he felt didn’t take the urgent action that was required. The New York Times sent a reporter to Germany to confirm that one of the names in the list of information exists.
The Department of Defense said they must review the data to confirm if it’s genuine. Allegedly, they gave Ars Technica an address to give to Marx so that he could send the devices to their government agency, but Marx feels they should contact his organization and arrange to have an official pick it up.
eBay states that selling devices with personal information is against company policy. If a seller violates the policy, they can be permanently suspended from the auction site. Clearly, something slipped through anyway. When items are decommissioned and data is destroyed, there should be a certificate to verify the data was destroyed and by who. All of that will need to be researched.
This isn’t the first time government information has been purchased from recycled electronics. In 2009, a group of journalism students was in Ghana filming a documentary on Ghana being a drop point for North American e-waste. While there, they purchased seven hard drives from a vendor in an open-air market.
After paying $40 for one hard drive, they accessed contracts between Homeland Security, Northrop Grumman, and the Pentagon. Nothing had been encrypted. They plugged in the hard drive and the files were easily accessible. Their research found the hard drive had been stolen from an ITAD vendor. This is why it’s so important to be able to track your devices from the minute they leave your hands and only work with companies that offer real-time tracking.
The Importance of Completely Destroying Data
Being banned from eBay is one thing, but there is far more reason to make sure you’ve destroyed data properly before reselling any electronics. The fines and financial awards in lawsuits add up even if it’s not intentional. The thing is, mistakes like these can be avoided. When disposing of or reselling used electronics, being overcautious and following an expert’s recommendations are essential measures.
Morgan Stanley is one of the more recent cases to keep in mind. The company was fined $35 million in September 2022, following a $60 million fine just a couple of years earlier. It came from a data center decommissioning that wasn’t properly handled. Electronic devices did not go through data destruction measures before they were sold online. In addition to the fines, they also had to pay $68.2 million in a legal settlement.
Maine’s HealthReach Community Health Centers had a breach of 116,000 patient records after a worker at a third-party storage facility got rid of their hard drives. All affected patients were offered a full year of credit and dark web monitoring services through IDX/Transunion, which can cost hundreds per patient.
That’s just two of the most recent cases. There are others. The thing you should take away from this is that it’s essential that you properly destroy data when you’re decommissioning a data center, disposing of outdated office equipment, or recycling electronics that stopped working. Even if the item isn’t working, the hard drive is where the information is stored, and in the wrong hands, that’s dangerous.
You need to make sure data is destroyed – 100% destroyed, not just restored to factory settings or deleted. If you simply erase a file, it erases the connection to it, it doesn’t erase that file. Someone with the right skill can find that file and restore the connection.
Demilitarization Services With ERI
ERI offers a full range of data destruction services, including on-site data destruction and shredding that ensures data is destroyed before devices even leave your building. We also offer demilitarization services for government agencies and contractors who need high-security data destruction services.
Our demilitarization services guarantee that only authorized, essential personnel are in the processing area, and the devices are brought into the facility by an agency representative, contractor, and authorized ERI personnel. You witness the data destruction personally and receive proof that the data was destroyed and items were recycled using the NSA/CSS Storage Device Sanitization Manual protocol.
We are a NAID AAA-certified facility and are also certified by ISO 9001, ISO 14001, ISO 45001, AICPA SOC 2, R2, and e-Stewards. All electronics are handled in one of our facilities. We do not ship anything overseas. We strive to offer ITAD and electronics recycling services that focus on security, safety, and privacy.
Talk to us about your data destruction and ITAD needs. If you’re planning to resell unneeded electronics, we can help. Our end-to-end program ensures 100% of your data was destroyed while maximizing the value of electronic assets that still have value. Reach us online or by phone.