DHS watchdog weighs in on 2019 biometrics leak

A Department of Homeland Security (DHS) Office of Inspector General report released on Sept. 21 provided details on a 2019 leak of biometric data from Customs and Border Protection (CBP) systems that was exposed in a ransomware attack on a subcontractor's network.

CBP acknowledged in June, 2019, that images of travelers and license plates collected under its authority in a Texas technology pilot were stolen in a breach of a subcontractor's network.

The data breach compromised approximately 184,000 traveler images from the agency's facial recognition pilot at the Anzalduas border crossing at McAllen, Texas, according to the DHS OIG report. That project tested technology that took images of volunteer travelers' faces and license plates on vehicles moving through traffic lanes at the border crossing.

The data was leaked from subcontractor Perceptics' systems after the company transferred it from CBP's system without the agency's knowledge, according to the report. Perceptics accessed the data from the CBP system through an unsecured serial bus port in a locked enclosure. CBP officials told the DHS OIG that Perceptics personnel accessed the enclosure for maintenance, but the company never asked to access the data, much less transfer it to their systems. Because of these circumstances CBP said it disagreed with the report's assessment that the agency did not "adequately safeguard" the biometrics data.

"In short, the main issue of the incident was a subcontractor who disregarded the terms of their contract and normal ethical business principles," Henry Moak, CBP's chief accountability officer, wrote in reply to the OIG report. The agency also terminated its relationship with Perceptics when the breach was uncovered last year,

Over a dozen images, said the report, wound up on the dark web after the subcontractor refused to pay the ransom.

The DHS OIG recommended DHS' Office of Information Technology review policies restricting USB devices and implement stronger encryption for the trial. The watchdog also recommended coordinating those stronger protections for other DHS biometric programs, particularly the agency's biometric entry/exit program.

That program, being piloted at a number of U.S. airports and seaports, collects images of foreign nationals upon their entry to the U.S. and adds them to a database that can be used to confirm that the same individual is departing.

The DHS OIG recommended CPB's Office of Field Operations set up a plan for the entry/exit program to regularly assess third-party equipment that supports the program to insure security and privacy compliance.