Foreign threat actors can easily obtain sensitive information on US military members from data brokers, according to a new Duke University study whose results were published on Monday.
Data brokers collect and aggregate information and then sell it, license it or share it, either directly or through services that leverage the data. Data brokers include credit reporting agencies such as Equifax and Experian, marketing companies such as Acxiom, and data analytics and risk assessment firms such as Verisk. Another major player in this space are mobile applications that collect and sell their users’ information to third parties, often without the users’ knowledge or consent.
Data brokers collect and sell a wide range of information, including name, demographic data, political preferences, lifestyle details, home and email address, GPS location, financial situation, and health information.
This type of information can be highly useful to threat actors, including for scams, blackmail, profiling, causing reputational damage, and stalking. In the case of military members, the exposure of this data could pose a risk to national security.
While some data brokers take steps to ensure that this type of data does not fall into the wrong hands, the study conducted by Duke University researchers found that in many cases it’s easy and inexpensive to acquire the information of military service members and veterans, with some brokers specifically advertising such data.
The Duke researchers contacted a dozen brokers in the US to purchase information on military service members and veterans. They found that the methods used by brokers to verify the identity of customers is inconsistent and noted that these practices are highly unregulated by the US government.
While some brokers refused to sell the data to an unverified organization, others seemed more interested in ensuring confidentiality around the purchasing of the data, not the confidentiality of the actual data.
The researchers managed to acquire sensitive information for as little as $0.12 per record when buying thousands of records, and the price can go as low as $0.01 per individual for larger purchases.
The researchers attempted to buy data using a US domain and a .asia domain name that had been linked to a Singaporean IP address.
Even when the .asia domain was used, several brokers agreed to provide thousands of records, including data geofenced to strategic locations such as Washington DC, Fort Bragg in North Carolina, and Fort AP Hill and Quantico in Virginia.
“Foreign governments have historically sought data about American persons and organizations for espionage, election interference, and other purposes. Their interest in the U.S. military in particular is high, and they could obtain such data through the data brokerage ecosystem, either by purchasing it legally or by hacking into the databases of brokers or their customers,” the researchers wrote in their report.
The researchers recommended that lawmakers pass a comprehensive privacy law with strong controls on the data brokerage ecosystem, with Congress being advised to provide more funding to regulatory agencies that can enforce new policies.
In addition, the Defense Department should conduct an internal contractual data flow assessment, which may help in restricting the exposure of sensitive military information to data brokers.