Pentagon admits adversaries tracked US troops via commercial data for a decade

The US Pentagon has officially acknowledged for the first time that adversaries are exploiting commercial location data to target American military personnel in the Middle East. US Central Command confirmed receipt of multiple threat reports concerning this surveillance, marking the initial admission that the data-broker economy is being utilised to hunt US forces. The confirmation follows a newly disclosed letter obtained by Reuters and independently verified by WIRED, which details the department's failure to act on warnings that have persisted for nearly a decade.

Despite alerts dating back to 2016 from intelligence agencies and contractors that inexpensive commercial fixes could prevent such tracking, the department did not adopt recommended cyber defences for almost ten years. Recent bipartisan correspondence to the Pentagon highlights that critical measures, including disabling advertising IDs on military phones and restricting browser usage, were only implemented this month. This timeline underscores a significant gap between known risks and operational security protocols.

The vulnerability of military personnel to commercial data exploitation was highlighted in 2023 by researchers at Duke University, funded by the US Military Academy at West Point. The study found that data on active-duty troops was available for as little as 12 cents per record, with almost no vetting required. Researchers were able to purchase names, home addresses, health conditions, and financial details on service members, as well as geofenced data for major installations such as Fort Bragg and Quantico.

Further exposure was identified by WIRED, which found marketing segments on Google’s Display & Video 360 platform that singled out US government employees in national security roles. These segments also targeted individuals working for companies licensed to build missiles and cryptographic systems. The ease of access was demonstrated when an investigator for the Irish Council for Civil Liberties gained access to a US broker’s audience lists by establishing a fake analytics firm, noting that no questions were asked during the sign-up process.

In May 2025, the Army Cyber Institute at West Point reported that more than a fifth of the most-visited web domains on the Army’s stateside unclassified networks were commercial trackers. The institute recommended restricting the installation of Google’s Chrome browser and disabling advertising IDs, measures that a bipartisan group of 14 lawmakers is now urging Pentagon Chief Information Officer Kirsten Davies to enforce. The lawmakers’ letter argues that the department has failed to adopt commonsense cyber defences despite long-standing recommendations from its own experts.

The timing of these security updates has drawn sharp criticism, particularly as the Army instructed soldiers earlier this month to begin using personal phones for government work. These devices broadcast advertising IDs and feed location data to brokers, creating a direct link between daily military operations and the commercial data economy. The Pentagon has not immediately responded to questions regarding the delay in implementing these long-overdue security measures.