When you realize you’ve somehow sold $1.2 million worth of controlled military equipment to a law enforcement agency that doesn’t exist, you’re likely to jumpstart efforts to reform that program.

That’s what happened when the Defense Logistics Agency learned that a sting operation run by the Government Accountability Office had exploited vulnerabilities in the Pentagon’s 1033 program, which sells local, state, and federal law enforcement agencies excess military equipment.

“Through creating a fictitious federal agency, we gained access to the program and obtained over 100 controlled items with an estimated value of $1.2 million, including night vision goggles, simulated rifles and simulated pipe bombs which could be potentially lethal if modified with commercially available items,” Zina Merritt, director of the GAO’s defense capabilities and management team, told lawmakers Thursday.

The 1033 program, created in the Clinton era and administered by DLA, has transferred more than $6 billion of equipment to some 8,600 agencies — including $1.1 billion in controlled items from 2013 to 2015.

It gained notoriety in 2014 when the nation’s television sets filled with images of police in Ferguson, Missouri responding to the Michael Brown protests with armored trucks and other military-grade equipment. Over the last few years, said DLA deputy director of logistics Mike Scott, the agency has added various controls on bequests to the local and state agencies, like the Ferguson force, that constitute 96 percent of the 1033 program participants. Each request by a police department, for example, must be approved by the force’s local government and a statewide 1033 program coordinator.

But GAO found that federal agencies have it much easier. Investigators simply enrolled in the program online and, once approved, purchased equipment over the Web.

“They never did any verification, like visit our ‘location,’ and most of it was by email,” Merritt told The Marshall Project. “It was like getting stuff off of eBay.”

In late 2015, DLA realized that the process was less stringent for federal agencies than for state and local outfits, and started drafting a memorandum of understanding that laid out federal participants responsibilities in the program, Scott said. But it was only after the GAO brought its sting operation to the DLA’s attention this spring that they froze transfers to any agency who hadn’t signed the agreement.

“The first meetings we had with [the GAO] were in March of 2017, when we learned what they were able to do in their investigation. By April 3, we had implemented” additional controls, Scott said.

Most of those controls are common-sense reforms, ones that make it less likely that bad actors can order potentially lethal equipment for a fake federal agency whose address is an empty lot — as the GAO did.

“We now require, very similar to the types of controls we implemented in the state and local process, a federal executive appointment of a [point of contact], a face-to-face visit to ensure they’re compliant, and then as a backup, the [FBI] database check to verify they’re a valid agency,” said Mike Cannon, the director of the DLA division that runs the 1033 program. “With those controls in place, I’m confident this won’t happen again.”

DLA has taken “positive steps in the right direction” Merritt said, but emphasized that GAO will be closely monitoring continued implementation.