Personal and combat-related data: preventing the leakage of sensitive information

In the digital era, protecting personal and service-related data is critical, especially for military personnel. Adversary intelligence relentlessly pursues methods to access critical data that could jeopardize plans, locations, or personal information of military personnel.

Digital technologies have both complicated and simplified intelligence gathering. On one hand, data can be protected using advanced encryption methods; on the other, users frequently unknowingly disclose sensitive information via social media, messaging apps, and other communication channels.

Understanding the methods employed by the enemy to gather intelligence, along with a solid grasp of essential cybersecurity protocols, enables effective defense against data breaches. The Ministry of Defence provides detailed insights into key threats and offers practical recommendations for safeguarding personal and service-related information.

How the enemy collects intelligence

Adversaries consistently employ several primary methods to gather intelligence on Ukrainian military personnel, including phishing, hacking of information systems, and social engineering. More in-depth information on these technical methods is provided in a previous publication.

However, special emphasis should be placed on the fact that the enemy actively analyzes open-source data. From small fragments of data scattered across the internet, malicious actors can construct a detailed profile of a service member.

Even seemingly harmless details—such as place of residence, educational institutions, friends, followers, or photos—collectively enable adversaries to determine a service member’s duty station, social circle, and other critical information. With a sufficient number of such 'building blocks,' the enemy can piece together an accurate picture and shift the threat from the virtual space to the real-world environment.

Smartphones and other devices security

It is hard to imagine modern life without smartphones. These devices are constantly connected to the internet, making their data vulnerable. To protect information on electronic devices, adhere to the following basic rules:

Always lock your device—this is the simplest way to secure your data. Use a password or PIN (at least six digits) that you can reliably remember. Biometric authentication and simple PINs may seem convenient, but they are highly vulnerable to breaches. Facial recognition on budget smartphones can be bypassed with a simple photo, and short PINs can be cracked in just a few attempts.

Keep apps and their permissions under strict control. Only download apps from official stores and limit installations to those you actively use. Avoid granting apps full access to your device, particularly permissions for media files, geolocation, camera, and microphone.

Wireless connectivity is another weak spot in security. Enabled wireless modules not only reveal the presence of electronic devices in a specific spectrum but also create potential entry points for malicious actors. Activate Wi-Fi and Bluetooth only when necessary and connect solely to trusted networks. Since ‘Airplane Mode’ may not reliably disable these functions, you should check their status manually.

Do not jailbreak (iPhone) or root (Android) your device. Although such unlocking removes manufacturer-imposed restrictions and enables expanded functionality, it also introduces a considerable range of security risks, including:

• Loss of built-in cybersecurity protections;
• Loss of access to critical security updates for the operating system;
• Voiding the device warranty.

More critically, jailbreaking and rooting grant administrative privileges not only to you but also to potential malicious code, which could gain unrestricted access to all private data on your device.

Avoid public charging ports in cafes, fuel stations, and other public spaces. Hackers can compromise these ports using a technique known as 'juice jacking'. Using a tampered charging port risks giving malicious actors full access to your device, as USB ports are designed for both charging and data transfer.

The safest option is to charge your smartphone using your own charger via a standard outlet or use a Data Blocker—a small device that prevents data transfer during USB charging.

Photos, videos, and cloud services

Pay special attention to your camera and photos. Do not capture or share images containing sensitive information. Be sure to turn off geotagging features that automatically store the location where each photo was taken.

Even without geotags, landscapes, buildings, or other details in a photo can help reveal the location. When necessary, blur or edit distinctive elements in images.

Check your gallery settings to ensure photos are not automatically uploaded to cloud services. Default gallery settings often enable synchronization with iCloud, Google Cloud, or other cloud storage platforms. If your account is compromised, adversaries can access your entire gallery. Therefore, disabling automatic uploads—especially for service-related photos is advisable.

Security on social media and messaging apps

Social media is a powerful source of information. For secure use, make your profile private and only add people you know as friends or followers. Regularly review privacy settings, as platforms may change them without notice.

Before posting any content, consider whether it reveals sensitive information. Avoid mentioning your duty station, movements, plans, tasks, or missions. Do not share photos in military uniform with visible insignia or in front of military facilities. Also, avoid taking photos near civilian facilities used by the military or in areas where tasks or missions are being conducted.

Exercise extra caution with messaging apps. Regularly review the participants in service-related group chats. Due to personnel rotations, groups may include individuals who no longer require access to the information discussed. Be cautious of unknown chat groups—even those with seemingly official names like ‘Military Unit Command.’ Verifying with authorized personnel whether you were meant to be added to the group is best.

During phone conversations, adhere to the principle of minimal disclosure. Do not share details about your movements, tasks, or locations, even with close contacts. Remember that any unsecured communication channel can potentially be intercepted.

Proper file deletion

It is crucial not only to store information securely but also to delete it properly. Simply deleting files from an electronic device is insufficient for complete data destruction. First, ensure deleted files are not lingering in the recycle bin. On computers, they can remain indefinitely; on smartphones, they may persist for about 30 days.

However, even emptying the recycle bin does not guarantee complete data removal. The file is not erased from the storage medium; instead, the operating system merely removes its reference. The data remains in the storage medium until it is overwritten by new information.

Using widely available software that requires no specialized knowledge, adversaries can recover deleted files if they have not been overwritten.

For secure data deletion, use specialized programs like Eraser or BleachBit. These tools “wipe” the disk by overwriting free space with random data, making recovery of previous data impossible. In critical cases, physical destruction of the storage medium remains the most reliable method.

Responding to a data leak

Despite all precautions, data leaks can still occur. If this happens, immediately inform your chain of command to assess the scope of the issue. Change all passwords, especially for critical resources.

After this, you should reach out to specialized cybersecurity units.

Protecting personal and combat-related data is not a one-time action but an ongoing process requiring vigilance and discipline. Strict adherence to basic cybersecurity rules helps significantly minimize the risk of sensitive information breaches.