Images of travelers and license plates that a subcontractor copied from a database maintained by the US Customs and Border Protection (CBP) to his own network have been ripped off by hackers, the agency confirmed on Monday, adding yet more reasons for critics to warn about the perils to privacy that come with the government’s burgeoning use of facial recognition (FR) surveillance technologies.
A CBP spokesperson told news outlets that the agency learned on 21 May 2019 that the subcontractor “transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network.”
That transfer was done in “violation of CBP policies and without CBP’s authorization or knowledge,” the spokesperson said.
First hop: improperly copied to the contractor’s network. Second hop: hacked away by malicious actor(s). The CBP spokesperson:
The subcontractor’s network was subsequently compromised by a malicious cyber-attack. No CBP systems were compromised.
All eyes turn to Perceptics
If it’s got any more details, the CBP isn’t giving them out. The agency hasn’t publicly named the subcontractor, nor exactly how many photos were involved.
However, it sounds like a dead ringer for the Perceptics breach confirmed last month. Perceptics is one of the US’s most widely used vehicle license plate reader (LPR) companies and designed the license plate imaging systems used at the US border crossings with Mexico and Canada.
The Washington Post reports that on Monday, its reporters received a Microsoft Word document of CBP’s public statement that included the name “Perceptics” in the title: “CBP Perceptics Public Statement.”
An anonymous US official told the newspaper that the Perceptics breach is being described inside CBP as a “major incident.” That official also said that Perceptics was attempting to use the data to refine its algorithms to match license plates with the faces of a car’s occupants, which is outside of CBP’s sanctioned use. The Post’s source said that the data involved travelers crossing the Canadian border.
When it reported about the Perceptics breach last month, Motherboard’s Vice noted that a Perceptics slide presentation from 2016 described how its readers and cameras are designed to be combined with federal “biographic/passport data” of passengers in vehicles passing through border crossings.
Not for sale – yet
We don’t know whether the breach announced by the CBP on Monday does in fact involve Perceptics. What we do know is that the images haven’t been put up for sale on the Dark Web… yet.
From the CBP’s statement:
As of today, none of the image data has been identified on the Dark Web or internet. CBP has alerted Members of Congress and is working closely with other law enforcement agencies and cybersecurity entities, and its own Office of Professional Responsibility to actively investigate the incident.
Though the data wasn’t up for sale as of Monday, the breach shows that this type of data is of interest to hackers.
A CBP official told The Hill that initial reports indicate that the breach involved images of fewer than 100,000 people in vehicles coming and going through a few specific lanes at a single port of entry into the US over the past one-and-a-half months.
The breach didn’t involve those people’s identifying information, nor their passport or other travel document photos. The official said that no airline passengers’ photos were involved in the breach.
Critics: Slow down your FR roll
Last week, the General Accountability Office (GAO) said that the FBI’s FR office can now search databases containing more than 641 million photos, including 21 state databases – a number that’s ballooned from the 412 million images the FBI’s Face Services unit had access to at the time of the report the GAO did three years ago.
During those three years, the FBI has failed to implement all but one of six recommendations the GAO had regarding privacy protection, FR data quality, and determining whether facial database searches actually lead to enough positive matches to warrant the technology’s use.
Neema Singh Guliani, a lawyer with the ACLU, said in a statement that the breach announced on Monday is further proof that the government should be throttling its lust for FR:
This breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travelers, including license plate information and social media identifiers. This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices. The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place.
For his part, Senator Ron Wyden said in a statement that if the government’s going to collect this data, it should be responsible for protecting it, whether the data resides in its own systems or in those of its contractors.
These vast troves of Americans’ personal information are a ripe target for attackers.
Anyone whose information was compromised should be notified by Customs, and the government needs to explain exactly how it intends to prevent this kind of breach from happening in the future.