Senator Calls Adtech a 'National Security Threat' After DoD Confirms Targeting of Troops

Commercial advertising data is now, in the words of a sitting US senator, a national security threat — and every enterprise CISO who manages a mobile fleet has the same exposure the Pentagon just publicly conceded.

WASHINGTON, D.C. — On May 28, 2026, US Central Command confirmed that foreign adversaries are using commercial location data, harvested from mobile phones, to track and target US service members on the battlefield. The confirmation came in a USCENTCOM letter shared by Sen. Ron Wyden, the Oregon Democrat who has spent years pressuring the executive branch over data-broker risk, with TechCrunch and Reuters. 'USCENTCOM has received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in theater,' the letter read. The letter did not name the adversaries and did not provide specifics.

Wyden, briefing Reuters on the disclosure, said it was time to 'start treating the adtech industry as a national security threat.' Reporting by The Register, TechCrunch, and WIRED on the same day framed the disclosure as the public confirmation of a risk the Department of Defense had been warned about for years. WIRED's framing was the sharpest: the US military has long known that cheap fixes could stop location data from exposing its troops, adopted almost none of them, and now says adversaries are using the data to target soldiers during a war.

What Happened

The disclosure is short and pointed. In a letter shared with TechCrunch and Reuters by Sen. Ron Wyden — the Oregon Democrat who has spent years pressing the executive branch on the national-security implications of the commercial data-broker market — US Central Command stated that it had received multiple threat reports of adversaries using purchased commercial location data to target or surveil US service members in theater. The disclosure lands inside a broader threat-environment shift in which the UK's NCSC chief has publicly identified Iran, Russia, and China as the primary drivers of state-aligned cyber threats, and it is from that same set of state actors that the USCENTCOM letter declines to name. Reuters first reported the news on May 28, 2026, with The Register, WIRED, and TechCrunch following the same day. The USCENTCOM letter does not name the adversaries, does not provide examples, and does not cite specific incidents, and a Department of Defense spokesperson did not return TechCrunch's request for comment.

Wyden's framing to Reuters elevated the disclosure from a single battlefield concern to a structural one: it is time, he said, to 'start treating the adtech industry as a national security threat.' That is the editorial center of the story. The DoD confirmation is the evidence; the senator's framing is the policy lever. WIRED's same-day reporting added the historical context that defines the failure: the US military has long known that comparatively cheap technical fixes — restricting advertising identifiers, restricting which apps can collect location, restricting which apps can run on operationally sensitive devices at all — could stop this exposure. According to WIRED, the military adopted almost none of them, and is now publicly acknowledging that the data is being used to track soldiers during an active conflict.

How Commercial Location Data Becomes a Targeting Capability

The supply chain that produced this risk is well understood and entirely commercial. Mobile apps and websites collect location data from phones and computers, typically as a byproduct of advertising — every served ad is an opportunity to log where the device was when the ad was rendered, and the persistent advertising identifier on the device ties that observation to a longitudinal track. Data brokers buy those logs in bulk, aggregate them, and sell them on the open market to anyone who can pay, with little practical restriction on who the buyer is or what they intend to do with the data. Governments and militaries — including, in past reporting, the US government itself — have purchased this commercial data without obtaining warrants. The same market that lets a US agency buy a track now, according to USCENTCOM, lets an adversary buy a track of a US service member. The mechanism is not exotic; it is the default behavior of the advertising stack.

Why the 'National Security Threat' Framing Is the News

What is new on May 28 is not the existence of the risk — privacy researchers, journalists, and Wyden himself have been warning about commercial location data and military personnel for years. What is new is the public framing. A sitting US senator now has, on the public record, a quote that treats the entire adtech industry as a national security threat, attached to a same-day USCENTCOM confirmation that the threat is operational. That is the kind of framing that moves legislation. CISOs and policy-engaged security leaders should expect, in the months ahead, proposals targeting federal data-broker restrictions, restrictions on the use and persistence of advertising identifiers, DoD acquisition rules for mobile devices, and possibly broader executive-branch action on data-broker sales to entities of concern. The same May 2026 cycle that produced this story has produced the Verizon DBIR 2026 finding that vulnerability exploitation just overtook credential theft as the number-one initial-access vector and the German cybersecurity-authority warning that China is close to an AI 'superhacker'. The throughline is that the threat surface has expanded faster than the policy response, and the adtech disclosure is the clearest piece of evidence yet that commercial-data exhaust is part of that surface.

This Is Not a Military-Only Problem

The story is being told as a military story because the confirmation came from US Central Command, but the underlying risk does not stop at the perimeter of the Department of Defense. Any organization with operationally sensitive mobile-device populations is exposed by the same mechanism: defense contractors, intelligence-community staff, journalists working sources in conflict or authoritarian environments, NGOs operating in hostile territory, executive-protection programs, law firms representing high-profile clients, and corporate security teams supporting C-suite travel. The advertising identifier on each of those phones is being logged the same way as the advertising identifier on a soldier's phone, and the resulting data is sold on the same open market. The same week, Russia-aligned threat actors were observed using ChatGPT and Gemini in attacks against Ukrainian targets — a reminder that state-aligned operators are now routinely combining commercial data and commercial AI to compress reconnaissance and targeting timelines. The defender question for every CISO is the same: how much of your organization's mobile-device exhaust is in the same brokered datasets that, in the USCENTCOM letter, became targeting data?

Scope and Impact

Several specifics remain deliberately unstated. USCENTCOM's letter names no adversaries; same-day reporting in The Register, WIRED, TechCrunch, and Reuters likewise names none. The letter does not provide examples, does not cite specific incidents, does not disclose how many US personnel were affected, and does not say whether any of the targeting attempts resulted in physical-world consequences. The DoD spokesperson did not respond to TechCrunch's request for further comment. Wyden's framing is on the record; the operational detail behind it largely is not.

What is not in dispute is the structural picture. Commercial location data is generated by default on virtually every modern smartphone, harvested by an opaque chain of advertising and analytics providers, aggregated by data brokers, and resold to anyone with the means to buy it. The US military has been warned for years that this exposes its personnel; the WIRED account is explicit that the cheap fixes have been on the table the entire time and were not adopted. The May 28 disclosure is therefore not a discovery but a public concession — and concessions of that kind are the moments at which legislative and regulatory windows open. The expected forward indicators are concrete: bills targeting data-broker sales to foreign entities, restrictions on advertising-identifier persistence, DoD mobile-device acquisition policy, and possible executive-branch action on data-broker disclosures.

For enterprise CISOs whose threat models do not include 'a foreign-state buyer of commercial location data,' this is the prompt to add it. The exposure is not theoretical. It is the same data exhaust your managed devices generate today, traveling the same commercial pipes the USCENTCOM letter describes. The exposure also compounds when combined with other 2026 trends — accelerated vulnerability-to-exploitation timelines, state-aligned use of commercial AI for reconnaissance — that shorten the time between data sale and operational use.

Response and Attribution

For CISOs at organizations with operationally sensitive mobile fleets, the immediate operational moves are well understood and within current MDM capability. Inventory every app on managed devices that holds any location or advertising-targeting permission. Restrict the device-level advertising identifier — IDFA on iOS, GAID on Android — via MDM policy; default to reset on every wipe; default to disabled for any device assigned to an operationally sensitive role. Audit which apps are permitted on operationally sensitive devices and remove any whose business case does not justify location collection. Build a tiered mobile-device policy that distinguishes baseline corporate devices from operationally sensitive ones, and ratchet the controls accordingly: more restrictive app allowlists, more aggressive identifier resets, stricter network egress controls.

For SOC and threat-hunting teams, the framing shift is that outbound traffic from operationally sensitive devices to known adtech and data-broker domains is now a defensible hunting signal — not because those domains are malicious in the conventional sense, but because the data leaving the device is the same data that the USCENTCOM letter describes adversaries buying. The same pattern shows up in China-aligned telecom-espionage operations like Showboat, where long-dwell access to communications infrastructure produced exactly the kind of longitudinal personnel intelligence the adtech market now sells as a commodity. Build a small allowlist of business-justified adtech destinations and treat the rest as exfiltration. For policy-engaged CISOs and government-affairs teams: track Wyden's legislative follow-ups, watch for executive-branch data-broker action, and pre-stage the operational changes so any federal mandate becomes an execution exercise rather than an engineering one.

On attribution, the honest position mirrors the USCENTCOM letter: no adversaries are named. Public reporting in The Register, WIRED, TechCrunch, and Reuters on May 28 likewise declined to identify a specific state. Speculation about which adversary or adversaries are doing the purchasing would not be supportable on the public record, and this account does not offer one. The strategic significance does not depend on the name; it depends on the fact that the data is for sale, the adversaries are buying it, and the defense — at the personal-device, MDM, and policy layers — is achievable and largely unimplemented.

The CyberSignal Analysis

Signal 01 — Adtech Is Now Named, on the Record, as a National Security Threat

The single most consequential thing on the record after May 28 is a sitting US senator publicly framing the adtech industry as a national security threat, attached to a same-day military confirmation that adversaries are exploiting the industry's output to target US troops. That is a quotable, repeatable, legislatable phrase, and it changes the political economy of every conversation about data brokers from this point forward. For CISOs, the practical implication is to expect movement: federal data-broker restrictions, advertising-identifier controls, and DoD acquisition-policy changes are all newly plausible. For policy-engaged security leaders, this is the moment to engage with sector regulators and government-affairs teams rather than wait for legislative text to land. The frame has shifted; the rest follows from it.

Signal 02 — Ad-Data Exhaust Is an Exfiltration Surface, Not a Marketing Externality

Most CISOs do not have a mental model for commercial location data because it does not show up in any of the standard exfiltration categories — it is not credential theft, not source-code leakage, not customer-PII exposure. It is data that the organization's devices broadcast voluntarily, by design, to fund the advertising stack that funds the apps the workforce uses. The USCENTCOM disclosure reframes that voluntary exhaust as an attacker-accessible feed about your people. That feed sits alongside other state-aligned mobile-targeting capabilities — the same May 2026 cycle has produced Russian-nation-state Kazuar/Secret Blizzard activity built around Signal Desktop and other consumer messaging surfaces — and the defender's lesson is identical: the device-side telemetry your fleet emits is the input these operators want. For organizations with any operationally sensitive mobile-device population — and that population is broader than most CISOs initially think — the defensive answer is to treat advertising IDs and ad-tech outbound traffic from those devices the way you would treat any other data leaving the perimeter: inventory it, restrict it, allowlist it, and hunt for the rest.

Signal 03 — The Cheap Fixes Have Been on the Table the Whole Time

WIRED's framing is the sharpest editorial line of the day, and it deserves to stick: the US military has long known that comparatively cheap fixes could stop location data from exposing its troops, adopted almost none of them, and now says adversaries are using the data to target soldiers during a war. That is a generalizable indictment, and it applies to enterprise CISOs too. The technical mitigations — MDM-level advertising-identifier restrictions, app inventory and allowlisting, tiered device policy, hunting on ad-tech egress — are not exotic, not expensive, and not novel. They are, by and large, things a competent mobile-security program could implement this quarter. The lesson of the USCENTCOM disclosure is that the gap between knowing the fix and adopting it is the operational risk. Closing that gap, on a mobile fleet you already manage, is the work that this story prompts.

Sources