US Military Members' Personal Data Being Sold By Online Brokers, Report Finds

Jacob Knutson reports via Axios: Sensitive, highly detailed personal data for thousands of active-duty and veteran U.S. military members can be purchased for as little as one cent per name through data broker websites, according to a new study (PDF) published on Monday by Duke University researchers. [...] The data about military personnel purchased as part of the study included full names, physical and email addresses, health and financial information and details about their ethnicity, religious practices and political affiliation. In some cases, the information also included whether the person owned or rented a home, was married or had children. The children's ages and sexes were accessible, too.

The researchers bought data on up to around 45,000 military personnel for between $0.12 to $0.32 per record. They also bought data belonging to 5,000 friends and family members of military personnel. Larger data purchases of over 1.5 million service members were available for as little as $0.01 per record from at least one broker the researchers contacted. The researchers called on Congress to pass a comprehensive privacy law and for regulatory agencies like the Federal Trade Commission to develop rules to govern military personnel data purchases.

Everyone's data are being sold

[khchung]

So why would US military member be any different? Did they all religiously avoid using any credit cards, cellphones, ATM, etc and live like monks in a desert? Or did they all have a "military member" tag in their data so data brokers can filter them out? (see the "Evil Bit" for reference)

Re:Everyone's data are being sold

[Shakrai]

That's the wrong question. It's very obvious why having military member information this easy to get is a terrible idea.

The right question is why does it have to happen to the military before someone bothers to notice that it is happening. I can call out a multitude of other professions (finance, human resources, IT, law enforcement, list is endless) and situations (domestic violence, witnesses to crime) where this is a huge fucking problem.

Re:

[Anonymous Coward]

you must be new, people have known about this for a very very long time, but they dont care. They're creatures of convinience and anything is worth giving up if it saves them a few seconds here and there

Re:

[LifesABeach]

interesting.
marketing show offs messing with trained hunter killers

Re:

[bjwest]

Because the data the government holds on military members and their families is far more in quantity, quality and personal than anything any credit card, cellphone ATM, etc. could ever dream of collecting without an extensive QA session.

Re:Everyone's data are being sold

[CaptQuark]

The data doesn't have to come from any federal government database.

Ask for a military discount at a restaurant? {flag}
Sign up for a military function? {flag}
Ask your cell phone company for a military discount? {flag}
Use ID.me to verify military affiliation? {flag}
Get a veteran endorsement on your state drivers license? {flag}
Show military affiliation in FB/IG/Pinterest? {flag}
Create an account on "Together we served"? {flag}
Get veterans car tags? {flag}

It's sometimes hard to get outraged at the collection of data that we so freely give away for a 10% discount at Lowes or Subway. I don't like the fact that a company is paying to collect that data but it isn't much different from them collecting my TV, internet, reading, travel, or food preferences. (You think those loyalty cards at supermarkets are not a source of income for the stores for purchasing habits?)

Re:

[buck-yar]

Why is it ok to surveil and trade the data on non military? My father recently rejoined the military after not being in it since the early 80s. Was it ok to trade our family's data during the time he was working in the civilian world? Then he joins up and suddenly its a crime and our data is off limits? What about everyone else, are they pleb tier not worthy of protection? Everyone is supposed to be equal in this country in the eyes of the law.

Re:

[Anonymous Coward]

Everyone is supposed to be equal in this country in the eyes of the law.

Except for the ones that can afford to be more equal than others.

Welcome to the real world.

[thesjaakspoiler]

Where all our data is up for sale and the government isn't inclined doing anything about that.

OPM Hack

[bill_mcgonigle]

The same applies to every Federal employee.

China was suspected. Is noone at all being blackmailed from it?

Re:OPM Hack

[Shakrai]

It's less likely they'll use it for blackmail and more likely they'll use it for social engineering. There's not much in OPM's database that would be of value for blackmail. There's ample in there you could use to socially engineer your way into a Federal agency, con employees thereof out of privileged information, etc.

Re:

[HBI]

I was captured in that hack. Some identity theft attempts over the ensuing time, but no guarantees that it emanated from there.

However, it did increase the likelihood of getting strange contact attempts. I made a couple reports. Intelligence gathering would be my guess.

Re:

[laughingskeptic]

Disagree. At the same time the Chinese acquired the OPM data they also acquired the non-government medical records of almost everyone in the greater DC area. If a married person with a security clearance was treated for an STD, but did not disclose an affair, then there is definitely a blackmail angle there.

Re:

[Shakrai]

they also acquired the non-government medical records of almost everyone in the greater DC area

Source? Not saying it didn't happen, just that I cannot recall or find it. :(

Congress Should Pass a Law - April Fools!!!

[gavron]

Isn't there a "law" like Betteridge's Law of Headlines that would say:

"Any time your only solution is to call on Congress to pass a law you're already lost."

---
Congress is interested in one thing only - themselves. If they even drafted a privacy law it
would protect members of Congress ONLY. Only such a bill would be called the "Privacy
Law for Congress and no abortion travel and fund Ukraine act" and it would never get to
the floor for a vote. US politics is a joke but not the ha-ha type.

Old news?

[geekmux]

DoD OPM hack happened many years ago, but since the growing interest for clickbait continues to write and sell headlines, I guess we are all supposed to act surprised to find the data still for sale online. Shock and awe can be delivered by a mime these days, I swear.

Re:

[VeryFluffyBunny]

By a mime, you say? Ah, that must be for the kinaesthetic learners among us! I'm sure interpretive dance would work equally well. Personally, I'm an olfactory learner so I need odour-based delivery.

Re: Old news?

[guruevi]

There are much more recent hacks that compromised much more data. The entire government is dependent on a small piece of SFTP software called MoveIT to exchange databases with each other. It runs on Windows Server and requires the admin interface to be publicly available on the Internet.

Re:

[geekmux]

There are much more recent hacks that compromised much more data.

Really? I'd like to know more on this, since anyone who's been forced to fill out the 127-page SF86 form knows you can't get much more invasive than that. Over 22 million service members and government employees were compromised.

Re:

[guruevi]

The MoveIT databases contained not just a few forms. It contained both US and international data from various companies for government, military, commercial and civilian purposes:
- They got a refresh of all the data, including military data from OPM (not just the forms you said) but also from IRS, DOE and a bunch of other agencies
- HR paperwork from various major companies (anyone interacting at bulk with IRS)
- Health records (again, anyone interacting at bulk with a government agency)
- Health insurance rec

not at all unusual

[ZipNada]

I used to work for a company (okay it was Dunn & Bradstreet) that bought, collated, and sold information as their primary source of income. At the time they were spending about $2 billion/year on data acquisition. The data flowed in from various 3rd parties and from subsidiaries they had purchased in order to corner that data. It was all ingested into a truly gargantuan database, a vast dark ocean of data. They had 'data partners', basically large customers such as banks, credit card and phone carriers, who shared all their data with the company in order to get free access to all the other data. Just figure that much of your cellphone activity and a list of everything you purchase with anything other than cash is a fungible commodity. You watched a show on streaming TV? That fact is stored and traded. There is an entire lucrative industry devoted to this.

And oh my goodness was it comprehensive. The unit where I worked pulled up detailed information about corporations that was sold piecemeal for very hefty prices, but you could buy an enormous tranche of raw material for your own database and do whatever you wanted with it. Things like all the info about all the employees of all the significant corporations in the USA. The data could be segregated in any number of ways. Whittled down to info about military personnel would be trivial.

Re:

[VeryFluffyBunny]

Yep. Unfortunately, it's become a boring, run of the mill fact & nobody with any power to do anything about it seems to care. I wonder what the world's hostile spy agencies are doing with all this readily available data? Since ~90% of spying is industrial espionage (according to Edward Snowden), I'd assume the biggest targets would be corporate executives, their aides, & senior management. What do those datasets sell for?

Re:

[ZipNada]

It's amazing to me that anyone would still support an obvious scoundrel like Trump. He's been a crook all his life and everyone knows it, still they would vote for him. I hope he loses all his properties in New York.

Re:

[ZipNada]

It was expensive. A basic (but many detailed pages) credit report on a single corporation ran about $3k, but I don't know how much the 'data partners' paid if anything.

What was particularly bad is that some customers would inadvertently post the data they purchased on unsecured databases in the cloud. We saw one that consisted of all the positions and contact info for the employees of thousands of corporations. A gold mine for phishing attacks.

Perhaps make laws with actual teeth?

[Anonymous Coward]

What is needed is laws with actual teeth in them. It isn't a law per se, but lets look at the MPA. Someone leaks something while a movie is bring filmed? They get kicked out, their contract torn up in their face, barred from ever getting near a studio ever again, and sued into the ground. Nobody fucks with the MPA guys.

We need something like this when it comes to private data, especially of this sensitivity. A leak means that people go to jail, even if it means C-levels who failed to allocate budget.

Friends and family members?

[Dr. Tom]

Let's see the proof of that.

Maybe For Them, Never For Us

[DewDude]

Don't worry. As a normal American Citizen rest assured you will be exempted from all data privacy laws and the corporations will still profit by selling it all to other corporations and the government without any type of regulation or restriction. Because while it might be illegal for the government to violate your rights, it's not illegal to allow corporations to do it on your behalf...and who better than to build massive files on the public to be used against the public than the very things most of them h

It's almost like...

[CyberKender]

...we need laws to make people's data private...

Re:

[geekmux]

...we need laws to make people's data private...

Given the prevalence of mass narcissism and the inability to read a EULA without a lawyer present, I'd say we need to find a society that still gives a shit about privacy, because this one doesn't anymore.

More laws, won't do a damn thing.