The data breach took place after a database used by Border Patrol was hit by a “malicious cyber-attack.”
The officials from US Customs and Border Protection (CBP) have revealed that one of their subcontractors have been targeted with a “malicious” cyber attack due to which the pictures of tourists entering and leaving the US have been exposed.
The confirmation of the attack came on Monday and the CBP officials revealed that the exposed data includes photos of the travelers and license plate pictures. According to the CBP, around 100,000 individuals will be affected by this data breach.
According to Washington Post, the officials also explained that the compromised data included those photos of people in vehicles that entered and left the country via a single land border entry port within a month and a half. The port’s name hasn’t been exposed by the authorities. The officials have, however, confirmed that the compromised data didn’t include identifying information like passport number or travel documents photos.
This exposure of photos and video recordings of tourists and vehicles, which was firstly reported on May 31, shows the extent to which the CBP is involved in surveillance tactics of visitors and collects data from airports and land border crossings. The data becomes part of the CBP’s ever-increasing facial recognition software that is primarily designed for tracking the identities of people touring the US. The database was transferred to the federal subcontractor’s network without the knowledge or authorization of the CBP, claims a CBP spokesperson.
The subcontractor’s identity is yet unclear but the hacker’s identity has been revealed to be Boris Bullet-Dodger. According to a report published in The Register, the hacker pilfered data from a company called Perceptics on May 24, which basically provides license plate reading software that is used at the US-Mexico border. After breaching the company’s network security and obtaining the database, the hacker posted the data on the Dark Web platform to be downloaded for free.
Although the authorities are keeping the details under wraps and not revealing much, the fact cannot be ignored that the CBP extensively uses cameras and video recordings captured from the border crossings and airports to create facial recognition database.
Such databases become attractive targets for cybercriminals especially hackers who are always hunting for personal identification information of unsuspecting people/users. Despite that, the CBP has denied that the data posted on the Dark Web is its property but it is a fact that Perceptics is the company that provides technical support to the agency and in May, a large chunk of data belonging to the same firm was up for download at the Dark Web.
Jackie Wren, CBP’s spokesperson, claims that it cannot be confirmed with surety that Perceptics is the primary source of the recent data breach while Perceptics didn’t comment yet regarding this incident.
It is also claimed that the CBP considers it a major incident of a data breach and that Perceptics was using the information to refine its algorithm for matching license plates with the faces of a vehicle’s occupants, which is a practice that the CBP allowed.
Furthermore, officials have also confirmed that the data mainly belongs to the travelers crossing the Canadian border and contrary to popular belief, the incident didn’t involve China or any other state.
Here’s the CBP’s statement:
U.S. Customs and Border Protection Statement
Unauthorized Access of CBP Data
June 10, 2019
On May 31, 2019, CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network. The subcontractor’s network was subsequently compromised by a malicious cyber-attack. No CBP systems were compromised.
Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract. As of today, none of the image data has been identified on the Dark Web or internet. CBP has alerted Members of Congress and is working closely with other law enforcement agencies and cybersecurity entities, and its own Office of Professional Responsibility to actively investigate the incident. CBP will unwaveringly work with all partners to determine the extent of the breach and the appropriate response.
CBP has removed from service all equipment related to the breach and is closely monitoring all CBP work by the subcontractor. CBP requires that all contractors and service providers maintain appropriate data integrity and cybersecurity controls and follow all incident response notification and remediation procedures. CBP takes its privacy and cybersecurity responsibilities very seriously and demands all contractors to do the same.