Feds lose control of thousands of traveler photos in data breach
Jun 12 2019
The US Customs and Border Protection agency admitted today to a data breach that occurred at one of its subcontractors, during which a hacker stole license plate and facial recognition photos.
The database, which comprised of photos of people's faces and license plates, had been transferred to the subcontractor's network without the federal agency's authorization or knowledge, a CBP spokesperson told The Register. "There may be more images within the stolen data trove, of course", The Register's Shaun Nichols noted and reiterated that the stolen data was downloadable by anyone who could find it on the .onion website set up to host it. CBP did not disclose the contractor but said the image file transfer violated security and privacy protocols in its contract. It's not certain if that info is associated with the CBP's breach.
It's unknown exactly how many images were compromised but, as reported by TechCrunch, CBP said the incident affected fewer than 100,000 people through a "few specific lanes at a single land border" over a period of a month and a half.
A CBP source said the images involved less than 100,000 people who were in vehicles entering and exiting the United States through a single border port of entry.
With databases containing personal identifying information becoming an alluring target for hackers and cybercriminals, the incident further underscores the need for careful evaluation of data collection practices by government agencies.
In May, a similar cyberattack was carried out against US-based Perceptics, a company that offered license-plate recognition software to government agencies such as the US Immigration and Customs Enforcement (ICE).
The Washington Post said its reporters received a Microsoft Word document Monday that included the name "Perceptics" in the title: 'CBP Perceptics Public Statement'. Although, if you wanted to build a facial recognition database, a cache of photographs paired with government-issued IDs like a passport would be the ideal data set.
Civil liberties groups including the ACLU and the Electronic Frontier Foundation have expressed alarm at the general lack of regulation of licence plate-reading cameras and burgeoning databases maintained by government agencies including CBP, Immigration and Customs Enforcement and the Federal Bureau of Investigation. "The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place", the American Civil Liberties Union (ACLU) said. Police agencies have also used the data to look for potential criminal suspects. It's these photos database that the hacker gained access to.
The agency said it learned of the data breach May 31.
'We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public, ' he said in a statement reported by the Hill.