German security researchers discovered easily accessible, classified military information on a laptop sold on eBay.
Security specialists from G Data, based in the western city of Bochum, bought a used Bundeswehr laptop for €90 ($100).
On the computer were a series of documents, including instructions on how to destroy the LeFlaSys Ozelot air defence system.
The LeFlaSys Ozelot is a mobile air defense missile system first deployed in 2001 and still in use today. The surface-to-air system is used to quickly react against air threats, protecting command centers and troops on the move.
The files were marked “VS-Nur für den Dienstgebrauch” — the lowest level of secret classification.
G Data security expert Tim Berghoff told DW the rugged, splash-proof computer weighed 5 kilograms (11 pounds) and was designed for field use. Berghoff said the device was probably made in the early 2000s and still ran well.
“The notebook PC we acquired contains extensive technical information on the LeFlaSys system, including step-by-step instructions for operation as well as maintenance. Information on how to operate the target acquisition system, as well as the weapons platform itself, can be found on there, and, of course, instructions on how to destroy the entire system to prevent its use by enemy forces,” Berghoff told DW.
He and Alexandra Stehr, a developer in G Data’s threat analysis team, created a bit-by-bit copy of the hard drive.
“It was easy to access the information. The Windows login required no password. The login for the program that contained the documentation of the weapons system was protected with a very easy-to-guess password. From then on, you could freely browse through the documentation.”
The device was sold by a recycling firm from Bingen.
Data should have been destroyed
The Defense Ministry told German news magazine Der Spiegel, who first reported on the case, that the recycling firm was responsible for destroying the data.
“The old computers used for LeFlaSys have all been decommissioned and sent for recycling with orders to erase or render existing storage media unusable,” a spokeswoman told the news magazine.
“It can be assumed that an error occurred during the recycling of the computer in question.”
It said the information recovered was not a serious data breach and did not give potential enemies critical information.
The military is legally obligated to destroy all data before selling IT equipment.
In 2019, a forest ranger from Upper Bavaria found classified instructions for the Mars mobile rocket artillery when he bought four laptops from an auction run by federal authorities.