IG: CBP Responsible for 2019 Biometrics Breach, Though No Federal Networks Were Compromised

Customs and Border Protection agency networks were not compromised in a 2019 contractor breach that resulted in the theft of images of travelers faces and other sensitive data, but that does not mean the agency is not at least partially at fault, according to the inspector general.

The same month a Government Accountability Office report slammed CBP for lax security and poor transparency in its airport facial recognition system, the agency’s inspector general on Monday released an in-depth review of a breach of facial images collected through the license plate reader program.

CBP officials publicly announced the breach in June 2019, a month after the information was taken from a third-party contractor that was not supposed to have the data.

CBP has been working on deploying facial biometrics at all ports of entry as part of a 2016 congressional mandate. While much of that effort has focused on air travel, the agency has been running test programs at land crossings for pedestrian traffic. The agency also ran a limited Vehicle Face System pilot at the Anzalduas, Texas port in 2018, which took photos of vehicles in motion and recorded the license plate and an image of the driver’s face.

CBP entered into a contract with Unisys Corporation to design and build the image capture system at Anzalduas, and the contractor in turn hired Perceptics “to install its proprietary facial image capture solution and provide support for associated equipment,” the report states.

In at least three instances—August 31, 2018, November 2, 2018 and January 31, 2019—Perceptics requested access to CBP cameras to perform requested system maintenance, according to the IG. At that time, employees downloaded image data to unencrypted USB drives that were later connected to the company’s internal network.

The downloads were done without CBP authorization and in direct violation of the contract and DHS policy.

This happened “without CBP’s authorization or knowledge,” violating at least three security and privacy protocols established by DHS, according to the IG.

While “Perceptics staff directly violated DHS security and privacy protocols when they downloaded CBP’s sensitive PII from an unencrypted device,” the IG does not let CBP off the hook. “Given Perceptics’ ability to take possession of CBP-owned sensitive data, CBP’s information security practices during the pilot were inadequate to prevent the subcontractor’s actions.”

The data obtained by Perceptics was later compromised in a ransomware attack on the firm’s networks.

No federal government systems were breached in the incident, the IG confirms, but again reiterates that fact does not absolve CBP.

“Additional IT security controls in place during the pilot could have prevented Perceptics from violating contract clauses and using an unencrypted hard drive to access and download biometric images at the pilot site,” the report states.

The IG noted CBP IT security officials took immediate action after the incident, including plugging potential security holes at other ports of entry and initiating “a forensic security assessment in 2019 of all existing cameras and biometric technologies,” ultimately finding “potential security vulnerabilities at four airports conducting similar facial recognition pilots.”

The scale of the breach was relatively minor compared to others—like the 2015 Office of Personnel Management hack that compromised PII on some 21.5 million Americans.

The perpetrators were able to make off with 184,000 images of travelers crossing the U.S. border, at least 19 of which investigators discovered posted to the dark web—an area of the internet not indexed by search engines. While the breach could have significant impact on those individuals—no small matter despite the small scale—the IG cites other, indirect consequences.

“This incident may damage the public’s trust in the government’s ability to safeguard biometric data and may result in travelers’ reluctance to permit DHS to capture and use their biometrics at U.S. ports of entry,” compromising a myriad of other ongoing biometric programs.

The hackers also obtained “an array of contractual documents, program management documents, emails, system configurations, schematics, and implementation documentation related to CBP license plate reader programs,” the report states.

As a result of the incident, Perceptics was suspended from obtaining any “government contracts, subcontracts, grants, loans and other federal assistance programs in June 2019,” the report states. However, that suspension was lifted in September 2019.

“As a part of lifting the suspension, CBP and Perceptics entered into an agreement in an effort to correct the risks identified in CBP’s investigation of the data breach,” the IG wrote, but noted that, “At the conclusion of our fieldwork, Perceptics was no longer working with CBP as either a prime contractor or subcontractor.”

Ultimately, the IG made three recommendations for CBP:

• Implement all mitigation and policy recommendations to resolve the 2019 data breach identified in CBP’s Security Threat Assessments, including implementing USB device restrictions and applying enhanced encryption methods.
• Ensure that all additional security controls are implemented on relevant devices at all existing Biometric Entry-Exit program pilot locations.
• Establish a plan for the Biometric Entry-Exit Program to routinely assess third-party equipment supporting biometric data collection to ensure partners’ compliance with department security and privacy standards.

CBP officials agreed with all three recommendations and provided detailed action plans for meeting them.

These added safeguards will be important as CBP upgrades its license plate reading program.

Since the program’s inception in 2017, CBP has used license plate reading cameras at border crossings to record travelers’ license plates, as well as some limited facial recognition tests. In July, the agency officially expanded the program to include third-party data, including license plate—and potentially facial images—from local governments, law enforcement, and even private sector organizations like banks and parking garages.

The data will be obtained through partnerships and contracts with third-party commercial vendors.

“The LPR commercial aggregator services store, index, and sell access to the images, along with the time and location of the collection. CBP will only have access to images from U.S. based cameras that are part of the commercial aggregator’s services,” according to CBP privacy documents.