Connect with us

Hi, what are you looking for?


Data Breaches

Data Brokers Expose Sensitive US Military Member Info to Foreign Threat Actors: Study

Foreign threat actors can easily obtain sensitive information on US military members from data brokers, a Duke University study shows.

Foreign threat actors can easily obtain sensitive information on US military members from data brokers, according to a new Duke University study whose results were published on Monday.

Data brokers collect and aggregate information and then sell it, license it or share it, either directly or through services that leverage the data. Data brokers include credit reporting agencies such as Equifax and Experian, marketing companies such as Acxiom, and data analytics and risk assessment firms such as Verisk. Another major player in this space are mobile applications that collect and sell their users’ information to third parties, often without the users’ knowledge or consent. 

Data brokers collect and sell a wide range of information, including name, demographic data, political preferences, lifestyle details, home and email address, GPS location, financial situation, and health information. 

This type of information can be highly useful to threat actors, including for scams, blackmail, profiling, causing reputational damage, and stalking. In the case of military members, the exposure of this data could pose a risk to national security.

While some data brokers take steps to ensure that this type of data does not fall into the wrong hands, the study conducted by Duke University researchers found that in many cases it’s easy and inexpensive to acquire the information of military service members and veterans, with some brokers specifically advertising such data.

The Duke researchers contacted a dozen brokers in the US to purchase information on military service members and veterans. They found that the methods used by brokers to verify the identity of customers is inconsistent and noted that these practices are highly unregulated by the US government. 

While some brokers refused to sell the data to an unverified organization, others seemed more interested in ensuring confidentiality around the purchasing of the data, not the confidentiality of the actual data. 

The researchers managed to acquire sensitive information for as little as $0.12 per record when buying thousands of records, and the price can go as low as $0.01 per individual for larger purchases.

Advertisement. Scroll to continue reading.

The researchers attempted to buy data using a US domain and a .asia domain name that had been linked to a Singaporean IP address. 

Even when the .asia domain was used, several brokers agreed to provide thousands of records, including data geofenced to strategic locations such as Washington DC, Fort Bragg in North Carolina, and Fort AP Hill and Quantico in Virginia.

“Foreign governments have historically sought data about American persons and organizations for espionage, election interference, and other purposes. Their interest in the U.S. military in particular is high, and they could obtain such data through the data brokerage ecosystem, either by purchasing it legally or by hacking into the databases of brokers or their customers,” the researchers wrote in their report.

The researchers recommended that lawmakers pass a comprehensive privacy law with strong controls on the data brokerage ecosystem, with Congress being advised to provide more funding to regulatory agencies that can enforce new policies.  

In addition, the Defense Department should conduct an internal contractual data flow assessment, which may help in restricting the exposure of sensitive military information to data brokers. 

Related: Ransomware Gang Leaks Data Allegedly Stolen From Canadian Hospitals

Related: Lost and Stolen Devices: A Gateway to Data Breaches and Leaks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Data Breaches

A group of hackers has leaked Atlassian employee records and floorplans, information that was obtained from third-party workplace platform Envoy.