Military officials working at nuclear weapons facilities. FBI and NSA employees. Americans in the sensitive Green Zone of Bagdad, Iraq.
These are some of the military or intelligence officials who could be identified using public data from the popular Polar Flow fitness platform, according to an investigation by the news website Bellingcat and the Dutch news agency De Correspondent. The public data could be a gold-mine of sensitive information and represents one of the largest open-source security vulnerabilities for the Department of Defense since a similar lapse was found in the Strava exercise app in January.
More than 6,500 users who worked at more than 200 sensitive sites across the world appear to have been unknowingly broadcasting their exercise location and their name to the entire world, according to the joint investigation.
Bellingcat was able to pinpoint the name of a “high-ranking officer” at a base known to host nuclear weapons. It took just a few clicks. Using the Polar Flow app and other information found on the internet, De Correspondent was able to collect a disturbing amount of one Dutch solider’s personal information. They found the name of the solider, the fact he was stationed at one of the key locations where the war against the Islamic State is being waged from, the soldier’s home address, and the names of his wife and kids.
Because of its broad search functions, public data appears to be easier to find in the Polar Flow application compared to the Strava fitness website.
Due to the joint investigation, Polar has disabled the ability to search for exercise data on its platform. In a statement, the company said that “there has been no breach of private data,” and that users must “opt-in” to have their training locations public. Polar reminded users “to avoid publicly sharing GPS files of sensitive locations.”
The investigation comes as the Department of Defense has warned its employees and soldiers to be aware of the information it chooses to make public over the internet.“
Protect your health, biometrics and financial information,” wrote Secretary of Defense Jim Mattis in a June memo. “The potential consequences of compromised data could be serious, not just for you and your families, but for the readiness and resiliency of this department.”
A spokesperson for Polar and the Department of Defense were not immediately available for comment.
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.