A US Customs and Border Protection subcontractor suffered a data breach that exposed the photos of tens of thousands of travelers coming in and out of the United States, the agency revealed Monday, in what it described as a "malicious cyber-attack."
The database of identifying traveler photos and license plate images had been transferred to a CBP subcontractor's network without the federal agency's authorization or knowledge, CBP explained. The subcontractor's network was then hacked, though CBP said its own systems had not been compromised.
The compromised photos were taken of travelers in vehicles coming in and out of the US through specific lanes at a single Port of Entry over a one and a half months period. Fewer than 100,000 people had their information compromised by the attack, according to a law enforcement official.
No other identifying information was included with the photos and no passport or other travel document photos were compromised, the official said. Images of airline passengers from the air entry and exit process were also not involved.
The cyberattack comes amid the ongoing rollout of CBP's “biometric entry-exit system,” the government initiative to biometrically verify the identities of all travelers crossing US borders. As BuzzFeed News reported earlier this year, CBP is scrambling to implement the initiative with the goal of using facial recognition technology on “100 percent of all international passengers,” including American citizens, in the top 20 US airports by 2021. And it is doing so in the absence of proper vetting, regulatory safeguards, and what privacy advocates say is in defiance of the law, BuzzFeed News found.
In May, The Register reported that Perceptics, the maker of vehicle license plate readers used by the US government and cities to identify and track citizens, was hacked, and its files were dumped online. CBP did not respond to questions from BuzzFeed News asking whether the breach the US agency announced today and the Perceptics hack are related.
Perceptics did not immediately respond to a request for comment.
"This breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travelers, including license plate information and social media identifiers," Neema Singh Guliani, a lawyer for the American Civil Liberties Union, said in a statement. "This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices. The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place."
“One very good reason that databases that are law enforcement– and privacy-sensitive, as this one is, should be wholly governmental and not subject to contractors or subcontractors,” said Theresa Brown, a former CBP adviser who now heads immigration policy at the Bipartisan Policy Center. “There should never have been the ability to download a database like this off of government servers.”
In its announcement Monday, CBP did not mention the name of the subcontractor, how many people have been affected by the breach, and whether the breach affected primarily US citizens or noncitizens. Congressional lawmakers and staffers were notified of the breach on Saturday.
Bennie Thompson, chairman of the House Homeland Security Committee, said he would hold hearings on how DHS uses biometric information next month.
“Government use of biometric and personal identifiable information can be valuable tools only if utilized properly. Unfortunately, this is the second major privacy breach at DHS this year," he said. "We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public."
Read CBP's full statement below:
U.S. Customs and Border Protection Statement
Unauthorized Access of CBP Data
June 10, 2019
On May 31, 2019, CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network. The subcontractor’s network was subsequently compromised by a malicious cyber-attack. No CBP systems were compromised.
Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract. As of today, none of the image data has been identified on the Dark Web or internet. CBP has alerted Members of Congress and is working closely with other law enforcement agencies and cybersecurity entities, and its own Office of Professional Responsibility to actively investigate the incident. CBP will unwaveringly work with all partners to determine the extent of the breach and the appropriate response.
CBP has removed from service all equipment related to the breach and is closely monitoring all CBP work by the subcontractor. CBP requires that all contractors and service providers maintain appropriate data integrity and cybersecurity controls and follow all incident response notification and remediation procedures. CBP takes its privacy and cybersecurity responsibilities very seriously and demands all contractors to do the same.