This week, U.S. Customs and Border Protection announced that hackers compromised traveler images and license plate photos from one of the agency's contractors. In a statement, the agency said that "none of the image data has been identified on the Dark Web or internet."
But Motherboard found and downloaded thousands of driver and license plate images that were hacked from Perceptics, a government contractor believed to be the one affected in the incident CBP described. The vast majority of photos Motherboard obtained are not from CBP or a border crossing—instead, they appear to be related to a Perceptics demo conducted for toll collection on the Pennsylvania Turnpike, which is operated by the Pennsylvania Turnpike Commission. The hacked data also includes CBP-related files, including a 2015 presentation that contains images of people in their vehicles as part of a proof-of-concept Perceptics made for CBP in 2015.
In some of the Pennsylvania Turnpike images, drivers' faces are clearly visible; in many of them, license plate and car make-and-model information is easy to see.
CBP has not yet confirmed that Perceptics is the company it was referring to in its press releases earlier this week, and has declined to answer questions about the company affected. However, the title of a Word document the agency sent to The Washington Post included "Perceptics."
Regardless, the images highlight how data that is collected for government purposes can end up in the databases of a third party. In this case, sensitive data wasn't protected properly, was hacked, and ended up being available for anyone to download. The images also show that automated toll collection on highways around the country has resulted in passive surveillance of drivers, which are in some cases added to databases that can be stored for years.
Earlier this week, a CBP official wrote in an email that the traveler images involved fewer than 100,000 people, and that the images were of travelers in vehicles entering the U.S. through specific lanes at a single land border over a one-and-a-half month period. CBP said the stolen information did not include passport or other traveler document photographs.
The large cache of images stolen from Perceptics were captured by its license plate reader system. Most of the images appear to originate from a demo Perceptics conducted at the Pennsylvania Turnpike, judging by the folder names and supporting PDFs included in the cache, laying out the scope and intention of the license plate reader deployment. The images were collected in a roughly two-month period in 2017, according to their file names.
"The purpose of this project is to install the latest Perceptics license plate reader technology at an operational site to demonstrate the high accuracy of the Perceptics Optical Character Recognition (OCR) and high attach/yield rates that can be expected utilizing this solution," a document included in the cache outlining the purposes of the demo reads.
The images include a full image of the front of the vehicle, a cropped version, and then a full and cropped version of the rear of the vehicle. In all, there appear to be thousands of individual images. The vehicle's type, brand, and license plates are, in many cases, visible. That section of the data dump is over 50 gigabytes in size. Some of the images reviewed by Motherboard show people in their vehicles, including their faces.
The CBP documents in the data cache published on the dark web include a Perceptics PDF containing satellite imagery of the World Trade Bridge in Texas, a site on the U.S.-Mexican border CBP has a presence on. The CBP-related documents also include a presentation dated 2015 outlining a Perceptics demo for CBP which contains a handful of "sample image data collected" of vehicles. One of the slides is called "Sample Driver Images" and includes zoomed-in black-and-white photos of drivers whose faces are easily visible.
"Over 2,500 Commercial Vehicle transactions were captured and processed," one slide of the presentation reads, before adding other statistics, such as the majority of tractors are Mexican trucks.
Perceptics has long advertised its ties to the U.S. government as well as the power of its camera and image-processing technology.
In 2015, Perceptics sponsored an electronic tolling conference about the "technology, science, and politics of mobility." In a brochure for that conference, Perceptics is described as: "For over 30 years, the U.S. government has trusted Perceptics LPR solutions for vehicle data collection at border crossings and security at some of the most highly sensitive facilities in the nation." In a piece written for TollTrans, a toll industry publication, Jennifer Sherblom, business development manager for Perceptics, wrote that toll operators should switch to automated, camera-based toll systems like the ones offered by Perceptics.
Do you know anything else about this breach? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com .
"In the long run, high-quality imagers coupled with a powerful [Optical Character Recognition] engine offer much better value to any toll operator" versus human-read images," she wrote.
In an email, a CBP spokesperson said the agency stands behind its initial statements, and that the agency has not yet verified whether the leaked images on the dark web come from any CBP holdings. The spokesperson said the forensic investigation is incomplete and ongoing.
Perceptics did not respond to multiple requests for comment. The Pennsylvania Turnpike Commission didn’t provide comment in time for publication.
When asked for comment on whether they believed the CBP announcement was related to their hack of Perceptics, Boris Bullet-Dodger, the hacker behind that breach, said in an email, "I think that idiots manage the company Perceptics."
Jason Koebler contributed reporting.
Update: This piece has been updated to include comment from the CBP.
Subscribe to our new cybersecurity podcast, CYBER.