Sensitive military personnel data available for just a few cents online, research finds

Data brokers, feeding online advertising businesses, can easily obtain and sell sensitive military personnel data for as low as $0.12 per record, posing a risk to US national security, a study from Duke University has found. Researchers were able to buy thousands of records with details on health, credit, gambling, and religion, together with contacts.

It appears that foreign adversaries don't need to worry about obtaining information regarding US military service members or veterans. Data brokers will readily provide such profiles for peanuts.

Duke University researchers revealed that it’s not difficult to obtain sensitive data about active-duty military members, their families, and veterans, including non-public, individually identified, and sensitive data. Health, financial, and even data about religious practices are up for sale.

“The team bought this and other data from US data brokers via a .org and a .asia domain for as low as $0.12 per record. Location data is also available, though the team did not purchase it,” the research reads.

The data brokers themselves planted the idea to conduct research, as they were actively advertising data about current and former US military personnel.

The multi-billion-dollar data brokerage industry comprises companies gathering, inferring, aggregating, and then selling, licensing, and sharing data on Americans, as well as providing technological services based on that data.

Some details in the 12-month-long research seem surprising. Brokers advertise data that ranges from aggregated to clearly identifiable and linked to specific individuals.

Ads included data about “veterans that own a motorcycle” or “military readers,” one data broker noted its ability to find a deceased veteran’s “claim or discharge number” by searching death records. Several data broker websites advertise data on military families, with dataset titles such as “Military Families Mailing List” and “Hard Core Military Families.”

After the review phase, the researchers contacted 12 US data brokers and ultimately purchased data from three of them. A lack of robust controls was the other finding, as one broker didn’t even verify the buyer’s identity. Some other brokers did appear to have some controls in place, as they refused to sell the data or asked for non-disclosure agreements.

“Two brokers refused to sell to us based on our lack of a website and the fact that we were not a “verified” company,” the researchers noted.

All the datasets they acquired contained individual, personally identifiable information on military personnel in the US.

“None of these datasets were anonymized nor aggregated, even when providing sensitive information (such as net worth, religion, or health) and without verifying the purchaser’s identity,” one finding reads.

One broker even advertises “18,000,000 verified military veterans representing the largest veterans marketing list on the market!”

The larger the purchase, the cheaper the price

The other disturbing discovery is how cheap such sensitive data is. Duke University researchers paid between $0.12 to $0.32 per US military servicemen when buying in bulk from 4,951 and 15,000 identifiable records at a time.

“Based on advertising from other brokers, identifiable datasets pertaining to the US military can be purchased for as little as $0.01 per military servicemember for much larger purchases,” the report states.

One broker provided researchers with contact data on 5,000 active-duty military personnel and 5,000 friends and family members. There was also contact data on 15,000 military personnel, plus 15 checkboxes indicating ailments and health conditions such as allergies, Alzheimer’s, angina/heart problems, arthritis/rheumatism, asthma, bladder control difficulties, diabetes, and others.

For $0.22, you get to know an active-duty servicemember’s name, address, email, specific branch and/or agency, and health.

But there’s more. For $0.213 per military servicemember, another US-based broker provided the name, home address, email address, political affiliation, gender, age, income, net worth, credit rating, occupation, presence of children in the home (yes/no), marital status, homeowner/renter status, home value, and religion.

Data brokers from Asia have some even more detailed information sold without any checks.

For $0.12 per record, researchers got to know if 5000 service members and veterans have an interest in gambling and casinos, charitable donations, their marital status, and their political interests. Another broker’s data, for $0.25 a piece, would add into the mix the level of education, occupation, number of children, age and sex of children, ethnicity, language, and credit rating.

“There are considerable gaps in the regulation of the data brokerage ecosystem. While some laws apply to data brokerage (e.g., around credit reporting), they do not cover all uses of that kind of data by all kinds of companies, organizations, and individuals. Other uses of data, such as the brokering of geolocation information, are largely unregulated,” the report reads.

Malicious actors can exploit that

According to the research, data brokerage poses significant risks to US national security, as foreign governments’ intelligence services could potentially use the acquired information against members of the US military.

“This exploitation could range from learning sensitive information about, blackmailing, and then coercing military personnel to outing servicemembers’ sexual orientations, releasing information that damages servicemembers’ reputations, stalking and tailing personnel, or microtargeting personnel with particular messages,” the report lists.

The research included well-known companies such as Oracle, three major credit reporting agencies, Equifax, Experian, and TransUnion, and many other brokers, such as Acxiom or Verisk.

Data brokers say that they acquire data from various sources and platforms to create their lists. That includes medical records, government records, surveys, app data, credit reports, and a wide variety of other sources.

“Congress should pass a comprehensive US privacy law, with strong controls on the data brokerage ecosystem,” researchers suggest.

The US also lacks privacy laws with national security-focused data controls, and the Defense Department should assess the risks from data brokerage in its contracts.

The research “Data Brokers and the Sale of Data on US Military Personnel” was conducted by Justin Sherman, Hayley Barton, Aden Klein, Brady Kruse, and Anushka Srinivasan. It was sponsored by the United States Military Academy.