Sensitive data on U.S. military personnel is easily acquired from data brokers hawking health, financial and other private information that could be used for blackmail, according to Duke University researchers.

The Duke study published Monday said researchers found the data cost between $0.12 and $0.32 per military servicemember when buying thousands of identifiable records in bulk.

Advertising from some data brokers suggested if the researchers wanted to buy far larger troves of information, then the price would plummet to $0.01 per servicemember.

“We found a lack of robust controls when asking some data brokers about buying data on the U.S. military and when actually purchasing data from some data brokers, such as identity verification, background checks, or detective controls to ascertain our intended uses for the purchased data,” the Duke study said.

All of the datasets the researchers acquired included information on military personnel in the U.S. and none of it was anonymized when revealing people’s net worth, health or religion.

Duke’s report detailed the little to no action the data brokers took to determine who wanted the military personnel’s sensitive information.

“Broker 4 told us that it would have to verify our identity before selling us data on the military unless we paid by wire instead of credit card,” Duke’s report said. “We then paid by wire, and Broker 4 provided us with the data we requested on members of the U.S. military without asking about or verifying our identity.”

Location information on military servicemembers, veterans and their families was also commercially available, although the Duke team said it did not purchase it. The Duke University study was funded by the U.S. Military Academy.

The details gleaned from the data pose a potential national security threat. The researchers said foreign governments and intelligence services may be able to use the data to expose military personnel’s private lives and physical whereabouts, including visits to sensitive locations.

“Foreign and malign actors with access to these datasets could uncover information about high-level targets, such as military servicemembers, that could be used for coercion, reputational damage, and blackmail,” the report said. “For instance, data related to income level, credit score, marital status, sexual orientation, mental health conditions, sexual health conditions, gambling, and servicemembers’ families is on the open market for sale and could be used for these purposes.”

The Duke researchers said the considerable gaps in rules and laws restricting the data broker ecosystem means new law is needed.

The researchers endorsed Congress passing a comprehensive federal privacy law, which they said should be supplemented by national security-specific data controls.

Sen. Bill Cassidy said Monday that legislation he co-authored in May would help protect national security and the military personnel’s data. The Louisiana Republican teamed with Sens. Elizabeth Warren, Massachusetts Democrat, and Marco Rubio, Florida Republican, on a bill to prevent data brokers from selling lists of military personnel to adversarial nations, such as China, Russia, Iran and North Korea.

“It’s alarming to see the findings in Duke University’s report regarding data brokers and the selling of U.S. servicemembers’ personal data,” Mr. Cassidy said on X.

Efforts to pass federal privacy laws in Congress have stalled in recent years. For example, when the American Data Privacy and Protection Act gained momentum in the House last year, it hit a wall in the Senate.

Sen. Maria Cantwell, Washington Democrat, helped to thwart the legislation authored by Reps. Cathy McMorris Rodgers, Washington Republican, and Frank Pallone, New Jersey Democrat.

The federal government is aware of how easy it is to obtain people’s sensitive information on the open market.

A panel assembled by the Office of the Director of National Intelligence published a report in June saying the government needed to rethink how it gathers such commercially available information, including data that businesses collect from cars, phones, and internet-connected devices.

• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.