In its rush to gather biometric data from travelers in the US, Customs and Border Protection has apparently neglected basic safeguards to protect it. One of its subcontractors was recently breached, leaving photos of travelers and license plates in the hands of hackers.
The Washington Post first reported the incident, whose full scope remains unclear. But the hack has raised sharp questions about the agency’s already controversial push for biometrics. Facial recognition scans have become more routine at airports; CBP wants it in the top 20 US airports by 2021.
“The CBP program should be suspended pending an investigation,” says Jeramie Scott, senior counsel at the Electronic Privacy Information Center. “The agency simply should not collect this sensitive personal information if it cannot safeguard it.”
CBP declined to name the breached subcontractor , but apparently sent the news outlet a Microsoft Word document titled “CBP Perceptics Public Statement.” The Word file strongly suggests that Tennessee-based Perceptics, which makes license plate readers and has a decades-long relationship with CBP, is the vendor in question.
That makes even more sense when you consider that a hacker calling themselves “Boris Bullet-Dodger” dumped hundreds of gigabytes of data stolen from Perceptics on the dark web in May. It’s unclear if that breach, first reported by The Register, is the same as the one CBP copped to Monday. The former became public on May 23; CBP says it found out that its database had been compromised over a week later.
“On May 31, 2019, CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” the agency said in a statement. “The subcontractor’s network was subsequently compromised by a malicious cyberattack. No CBP systems were compromised.”
Perceptics did not respond to a request for comment. But regardless of which specific vendor the breach stems from, the upshot is the same.
CBP has given precious little information about how many people were impacted, a troubling lack of disclosure. It’s not even clear exactly what type of data-and whether it extends to biometrics beyond photos-the database contained. While CBP says “none of the image data has been identified on the Dark Web or internet,” the dump of hacked Perceptics data just a few short weeks ago doesn’t give much confidence that this breach is contained, or will stay that way.
In short, the only people who know the full scope of this breach are CBP, an unnamed subcontractor, and whoever pulled off the hack.
How serious is this?
Without more clarity on the contents of the database in question, it’s hard to say for sure in terms of the impact on an individual level. Probably pretty bad, though! And on principle, it’s close to a worst-case scenario.
That CBP itself wasn’t directly hacked doesn’t make the situation any better. In fact, it arguably makes things worse; the agency let a third party access incredibly sensitive data, and didn’t ensure that appropriate security measures were in place. That it treats an image database of private citizens with the same lack of care that it does a Microsoft Word doc should set off very loud alarm bells.
“CBP requires that all contractors and service providers maintain appropriate data integrity and cybersecurity controls and follow all incident response notification and remediation procedures,” the agency said in its statement. “CBP takes its privacy and cybersecurity responsibilities very seriously and demands all contractors to do the same.” It’s a fine sentiment; the facts of the case belie it.
The breach also comes at a time when facial recognition regulation has garnered bipartisan support, after years of going relatively unchecked in both the public and private sectors.
“This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices,” said Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union, in a statement. “The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place.”
It may be too late for the victims of this data breach, but it’s past time to help limit the damage before the next hack comes along.