Incident Of The Week: U.S. Customs And Border Protection Breach

The data compromised was part of a ‘malicious cyber attack’ on a federal subcontractor

Add bookmark

U.S. Customs and Border Protection (CBP) officials said on June 10, 2019, that photos of travelers had been compromised as part of a ‘malicious cyber attack.’ CBP uses cameras and video recordings extensively at airports and land border crossings, as part of a growing agency facial-recognition program. It is designed to track the identity of people entering and exiting the U.S.

Officials said that the data breach included images of people’s faces and license plates, which were compromised as part of an attack on a federal subcontractor.

See Related: “Top 5 Cyber Security Breaches of 2019 So Far

“If the government collects sensitive information about Americans, it is responsible for protecting it — and that’s just as true if it contracts with a private company,” Sen. Ron Wyden (D-Ore.) said in a statement to The Post. “Anyone whose information was compromised should be notified by Customs, and the government needs to explain exactly how it intends to prevent this kind of breach from happening in the future.”

With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.

Unable To Confirm Breach Source

While less than 100,000 people were impacted as initially reported by CBP, the photographs involved in the breach were from over a month and a half long through a single land border entry port (not named by CBP). However, there was no other identifying information stolen, no passports, or travel document photos compromised so far.

CBP has also not reported which subcontractor was involved in the breach, however, a Microsoft Word document of its public statement sent to Washington Post reporters included the name Perceptics in the title. CBP spokeswoman Jackie Wren said that she is ‘unable to confirm’ if Perceptics is the actual source of the breach.

While the source is not yet confirmed, however, it is important to note that the agency learned of the breach on May 31. Reporters at British technology news site, The Register, said last month that a ‘large haul of breached data from the firm Perceptics was being offered as a free download on the dark web.’

Incident Raising Alarms In Congress

An anonymous U. S. official said that Perceptics was attempting to use the data to refine its algorithms to match license plates with the faces of car’s occupants, which the official added is outside of CBP’s sanctioned use.

According to the official, the breach did not involve a foreign nation (such as in the China hack of the Office of Personnel Management in 2014, which exposed 22 million people), but this news has raised concerns with Congress, where lawmakers have questioned surveillance measures such as this, opening up millions of people potentially for identity theft.  

CBP said copies of ‘license plate images and traveler images collected by CBP’ had been transferred to the subcontractor’s company network, violating the agency’s security and privacy rules. The subcontractor’s network was then attacked and breached. No CBP systems were compromised, the agency said.

See Related: “Recapping 2018 in Data Security and Privacy

The federal government, FBI and DHS, as well as a group of private contractors, all have access to a growing database of images such as those breached here — including biometric data.

While it is said to be necessary to enhance security, Rep. Bennie Thompson (D-Miss.), chair of the House Homeland Security Committee, said, “Government use of biometric and personally identifiable information can be valuable tools only if utilized properly. Unfortunately, this is the second major privacy breach at DHS this year.”

Thompson was referring to a separate breach in which more than 2 million U.S. disaster survivors had their information revealed by the Federal Emergency Management Agency. "We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public."

Read Last Week's Incident: Millions Hit By Quest, LabCorp Data Breach