A decommissioned German army laptop sold on eBay for €90 contained classified military data, including ways to defeat a mobile air defense system in use today.
The laptop was bought from IT recycling firm Bingen by G Data, a prominent German software security firm, which detailed the incident in a March 16 blog.
Worryingly for the Bundeswehr, not only did it contain sensitive information, but administrative software was protected with the robust password “guest”. (The laptop itself, running the obsolete Windows 2000, was not password-protected).
As of 2019, it has apparently been strict policy that before any German military IT equipment is sold on, all non-volatile memory must be removed and destroyed.
(Computer Business Review dreads to think what was sold on prior to 2019. The incident is also a salutary reminder for CISOs that IT asset disposal protocols/partners matter; such incidents are not entirely uncommon, even if this data was unusual).
The laptop contained detailed instructions about a tank currently in use that is equipped with a light anti-aircraft missile defence system known as the Ozelot.
This included detailed schematics and maintenance instructions for the anti-aircraft system, G Data found, in an incident reported this week by Der Spiegel.
A spokesperson for the German Ministry of Defence told Der Spiegel: “The old computers for the LeFlaSys were all discarded and disposed of with the arrangement for deleting or rendering existing storage media unusable. It can be assumed that an error has occurred in the utilization of the computer in question.”
The computer itself was a Roda with a massive 128 MB RAM and a Pentium III processor. On the side of the laptop the researchers from G-Data found a sticker with ‘Roda Rocky II + LeFlaSys data display device’ written on it.
When they scanned the data on the laptop they found maintenance instructions, schematic drawings and complete operating instructions.
At the top of each document is the German classification grade of VS which clearly marks it as sensitive material.
Tim Berghoff security researcher at G-Data wrote in a blog that on the event that: “The data contained in the Bundewehr (German MoD) computer are subject to only the lowest level of confidentiality.
“Nevertheless, those responsible should have removed the data carrier from the computer and destroyed it when it was retired.”
Justifying the acquisition, G Data noted: “As a machine for retro games, it is still good today – and it is also Soundblaster-compatible.”