Full Report
More than 3 billion phone coordinates collected by a US data broker expose the detailed movements of US military and intelligence workers in Germany—and the Pentagon is powerless to stop it.
Analysis Summary
# Incident Report: Tracking of US Military/Intelligence Personnel via Commercial Location Data
## Executive Summary
This "incident" involves the unauthorized, large-scale tracking of US military and intelligence personnel located at sensitive installations in Germany, including Lucius D. Clay Kaserne and Ramstein Air Base, by tracing signals from commercially available mobile phone location data. The routine movements of personnel—from homes to sensitive facilities like NSA monitoring sites—were exposed and sold by US-based data brokers, posing a significant national security risk via potential blackmail or targeting by foreign adversaries. Response actions involved Senatorial inquiry and impending FTC lawsuits aimed at regulating this practice.
## Incident Details
- **Discovery Date:** Initial reporting began around September 2023, with findings being publicly revealed later that year/early 2024 through a joint investigation.
- **Incident Date:** The tracking occurred over roughly two months in 2023, with predictable patterns observed.
- **Affected Organization:** US Army, US Intelligence Operations (suspected NSA), US Government Contractors.
- **Sector:** Military/Defense, Intelligence Services.
- **Geography:** Wiesbaden, Germany, specifically involving Lucius D. Clay Kaserne, Dagger Complex, and Ramstein Air Base.
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing throughout most of 2023.
- **Vector:** Legal acquisition of location data from mobile applications by US-based data brokers, followed by legal sale of aggregated datasets.
- **Details:** Data brokers collected billions of location coordinates from devices in the US and abroad, including those belonging to service members operating near or inside sensitive facilities in Germany.
### Lateral Movement
- **Details:** The collected data allowed analysts to map movement patterns from residences to specific workplaces (e.g., contractor offices, Consolidated Intelligence Center, hangar facilities, weapons testing zones) and personal locations (restaurants, bars).
- **Impact:** Demonstrated the ability to reveal routines of personnel with access to highly sensitive infrastructure.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Highly sensitive, nonpublic, individually identifiable location data about US service members and potential intelligence personnel, exposing their daily routines and access to secure areas (including suspected NSA sites and nuclear weapons storage locations).
### Detection & Response
- **How it was discovered:** Collaborative analysis by WIRED, Bayerischer Rundfunk (BR), and Netzpolitik.org tracking device coordinates obtained from a US data broker.
- **Response actions taken:** Senator Ron Wyden approached the US Defense Department (DoD) in September 2023 and the National Security Council (NSC). The FTC is reportedly planning multiple lawsuits to recognize US military installations as protected sites for data collection purposes.
## Attack Methodology
**Note:** This was not a traditional cyber intrusion, but rather an exploitation of the unregulated commercial data market. The methodology describes how the *data* was compromised/leveraged.
- **Initial Access:** Commercial collection of mobile application location data by third-party brokers, often through legal means or weak disclosure agreements.
- **Persistence:** N/A (Data was static/historical once sold).
- **Privilege Escalation:** N/A.
- **Defense Evasion:** The data collection existed outside traditional defensive perimeters (e.g., firewalls, EDR), operating within the commercial advertising ecosystem.
- **Credential Access:** N/A.
- **Discovery:** Data brokers had vast datasets allowing for detailed mapping of movement patterns across time and geography (geofencing).
- **Lateral Movement:** Data analysis correlated movement between homes, training sites, intelligence facilities, and recreational areas.
- **Collection:** Billions of location coordinates aggregated over time.
- **Exfiltration:** The aggregated, identified location datasets were sold on the open market to potentially adversarial actors.
- **Impact:** Exposure of operational security (OPSEC) and potential targets for foreign intelligence services or criminals.
## Impact Assessment
- **Financial:** Not explicitly stated, but potential costs related to mitigating resulting security breaches or enhancing classified facility physical security would be high.
- **Data Breach:** Detailed, individualized location history of personnel with access to classified/sensitive operations in a foreign theater.
- **Operational:** Direct threat to the integrity and security of US military and intelligence operations in Europe.
- **Reputational:** Damage to operational security practices and trust in commercial data handling.
## Indicators of Compromise
- **Network indicators:** N/A (Commercial IP data streams, not malicious command-and-control).
- **File indicators:** N/A.
- **Behavioral indicators:** Consistent, patterned location pings originating from devices located inside secure military/intelligence facilities (e.g., Lucius D. Clay Kaserne, Dagger Complex, Ramstein).
## Response Actions
- **Containment measures:** Senator Wyden engaged DoD and NSC; FTC reportedly preparing lawsuits targeting data brokers operating around sensitive sites.
- **Eradication steps:** Focus is on regulatory/legislative action to address the data brokers themselves, rather than removing a specific persistent threat actor.
- **Recovery actions:** Public disclosure of the risk and subsequent attempts to pass privacy legislation (e.g., American Privacy Rights Act, Fourth Amendment Is Not For Sale Act).
## Lessons Learned
- The unregulated sale of aggregated commercial location data poses a significant, immediate threat to US national security, exposing high-value personnel routines.
- Existing legal frameworks (e.g., warrant requirements) are easily circumvented when operational data is purchased commercially.
- Government intelligence and defense agencies currently lack control over the public sale of their personnel's geolocation data.
## Recommendations
- **Prevention measures for similar incidents:** Pass comprehensive national privacy legislation that explicitly bans the sale of individually identifiable location data concerning military personnel or activity near sensitive defense sites. Fully implement DoD policies restricting how data shared with contractors can be resold. FTC must aggressively pursue lawsuits to establish legal precedent protecting military installations in data broker regulation.