Sensitive data about current and former U.S. service members is for sale for as little as 12 cents per record, exposing details ranging from financial and medical information to religious practices, according to a new study commissioned by the U.S. Military Academy.
Adversaries could use the details to target Americans with ties to the armed forces for profiling, blackmail, disinformation campaigns and more, the report said.
Released Monday, the report details how the multibillion-dollar data brokerage industry collects, licenses and sells data in ways that could pose national security risks.
Researchers at Duke University examined hundreds of data broker websites, contacting scores of them to inquire about the purchase of information on service members.
For example, the study found 7,728 hits for the word “military” and 6,776 hits for the word “veteran” across 533 data broker websites, which were developed from state data broker registries in Vermont and California.
Search topics included veterans who own motorcycles, military family mailing lists and information from the phrase “Hard Core Military Families.” Veteran claim and discharge numbers also were available for purchase.
One vendor offered the researchers data sets with contact information for 5,000 active-duty military personnel. Another provided data on 5,000 friends and family members of military personnel.
And a purchase from a third vendor included contact data for 15,000 military personnel plus 15 check-boxes indicating ailments and health conditions.
From a fourth vendor, the researchers acquired home addresses, phone numbers and email addresses for 5,000 active-duty military personnel at a cost of about 13 cents per service member.
While some of the purchases were made from domestic domain names, researchers also used “.asia” domains and Singapore IP addresses.
From those domains, they obtained data on 5,048 troops “geofenced” to Fort Liberty in North Carolina as well as military communities in Quantico, Va., and the Washington, D.C., area.
The researchers obtained records pertaining to military personnel from all 50 states.
“Meaningful policy action is needed to address this ecosystem and mitigate national security risks facing the United States,” the report said.
The report included a series of recommendations. It said Congress should pass a comprehensive U.S. privacy law that puts strong controls on the data brokerage industry.
Congress and the executive branch also should supplement that with data controls focused on national security that could prohibit the collection and sale of government employees’ and military members’ personally identifiable data.
Meanwhile, the Defense Department could implement controls in its contracting requirement that restricts contractors’ sale of any data related to their business with the military.
“Foreign governments have historically sought data about American persons and organizations for espionage, election interference, and other purposes,” the report said. “Their interest in the U.S. military in particular is high.”