When a hacker publicly dumped information stolen from one of its license plate scanning contractors called Perceptics, U.S. Customs and Border Protection (CBP) needed to analyze the data. Fast.
"One of their guys [...] is pulling it down off the dark web and needs a way to quickly parse it….like NOW," an internal email between several staff members at Nuix, a cybersecurity company CBP asked to help, reads.
"This will [...] make us look like hero's [sic]. And we have a pending deal which makes this even more timely," the email, sent June 6, reads. "This breach is significant and the Agency is going to have to report it to Congress."
The hacker had stolen a wealth of emails, images of travelers, and internal documents from Perceptics, a company that makes license plate scanners and other technology that is used at the US-Mexico border and on highways around the country. The hacker was hosting the data on a hidden service, meaning it could only be downloaded through the Tor anonymity network via a certain data transfer protocol, making the download exceptionally slow.
A set of Nuix emails obtained by Motherboard gives a behind-the-scenes look at what happened after the Perceptics breach, and indications of CBP's panicked response. It also shows how CBP seemingly only analyzed a copy of the data weeks after the media first revealed the breach.
Motherboard obtained the emails and more information about the data breach response from a source familiar with the incident. Motherboard is preserving the source's anonymity to talk more candidly about a sensitive event.
Nuix is a company focused on digital forensics, cybersecurity, and compliance. It has a subsidiary focused on providing services to the U.S. government, called Nuix USG. Clients include the Department of State, the Department of Veteran Affairs, the Justice Department, the Department of Homeland Security, and the New York Police Department, according to Nuix USG's website.
In a June 10 statement to the media, CBP said that "As of today, none of the image data has been identified on the Dark Web or internet." A day later, on June 11, a Nuix employee wrote to several others working on the data breach that "And as of this morning Traveler Photo's [sic] are the priority," indicating that perhaps the data hadn't been fully analyzed before CBP made that statement (Motherboard also downloaded and analyzed the files and found that they did contain images of travelers in their vehicles.)
Over the next several days, the Nuix staff discussed the difficulty of downloading the stolen Perceptics data.
"Let me see what I can do," one employee wrote. "I've started pulling everything but its is [sic] really slow Im going to spin up another instances [sic] and go for just the photos," one employee wrote on June 11.
"Unless that rate changes, my math says 52 hours to download that one file," another Nuix employee wrote.
The source familiar with the incident said that after Nuix downloaded the data on behalf of CBP, Nuix sent it to the department via a shared Google Drive folder. Several of the emails corroborate this.
In one email, an employee writes they were told to look out for data that belongs to Canada.
CBP acknowledged a request for comment last week but did not respond to a follow-up sent Monday. Nuix did not respond to multiple requests for comment.
Since the data breach, multiple media outlets have reported on the dump's contents.. The Intercept reported that Perceptics wanted to profile drivers in New York, and that company officials lobbied Congress to downplay security and privacy concerns around automatic license plate reader technology. CNN found there were at least 50,000 license plates in the data dump.
Earlier this month CBP official suspended Pereptics from government work.