US Customs and Border Patrol said Monday that a hacker stole traveler photos and license plate images from one of its contractors. CBP did not name the contractor, mention how many photos were taken, or go into detail about the types of data stolen.
CBP declined to answer specific questions about the breach, but the hack sounds similar to one reported last month by Motherboard, in which a license plate reader company called Perceptics was compromised by a hacker known as “Boris Bullet-Dodger.” At least some data from that hack was being listed on the dark web. It is not yet known whether this is the same hack, but CBP said in a statement that it did not have indications that the images had been sold on the dark web.
"On May 31, 2019, CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network," CBP said. "The subcontractor’s network was subsequently compromised by a malicious cyber-attack. No CBP systems were compromised."
"Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract," it continued. "As of today, none of the image data has been identified on the Dark Web or internet. CBP has alerted Members of Congress and is working closely with other law enforcement agencies and cybersecurity entities, and its own Office of Professional Responsibility to actively investigate the incident. CBP will unwaveringly work with all partners to determine the extent of the breach and the appropriate response."
Perceptics did not immediately respond to a request for comment. The Washington Post reported, however, that a Microsoft Word document sent to it by CBP includes the name “Perceptics” in the title. As Motherboard reported last month, Perceptics’s tools are designed to be used with users’ passport data.
Perceptics, once a subsidiary of major government contractor Northrop Grumman, mainly distributes license plate readers, under-vehicle cameras, and driver cameras to the U.S., Canada, Mexico to place at border crossings. According to a company slide presentation from 2016, its readers and cameras are designed to be combined with federal “biographic/passport data” of the passengers.
U.S. Customs Service has used Perceptics services since 1982, and the company has had licence plate readers at all U.S.-Mexico border crossings since 2002. The company also has contracts with the United Arab Emirates, Saudi Arabia, Singapore, and Malaysia as well as several U.S. states like New Jersey. According to government contract awards, Perceptics also did business with the U.S. Drug Enforcement Administration in 2016.
Whether this is indeed related to the Perceptics hack or not, the breach announced by CBP Monday show that Americans’ sensitive information is being stored insecurely by third-party companies hired by the U.S. government. The news is particularly notable considering that CBP and the U.S. government wants to increasingly use facial recognition, which would require creating large datasets of Americans’ faces.
“This breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travelers, including license plate information and social media identifiers,” Neema Singh Guliani, a lawyer with the ACLU, said in a statement. “This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices. The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place.”