IG: CBP Responsible for 2019 Biometrics Breach, Though No Federal Networks Were Compromised

cybrain/Shutterstock.com

A ransomware attack on a Customs and Border Protection vendor leaked facial images on more than 184,000 travelers—something agency security and policy should have prevented.

Customs and Border Protection agency networks were not compromised in a 2019 contractor breach that resulted in the theft of images of travelers faces and other sensitive data, but that does not mean the agency is not at least partially at fault, according to the inspector general.

The same month a Government Accountability Office report slammed CBP for lax security and poor transparency in its airport facial recognition system, the agency’s inspector general on Monday released an in-depth review of a breach of facial images collected through the license plate reader program.

CBP officials publicly announced the breach in June 2019, a month after the information was taken from a third-party contractor that was not supposed to have the data.

CBP has been working on deploying facial biometrics at all ports of entry as part of a 2016 congressional mandate. While much of that effort has focused on air travel, the agency has been running test programs at land crossings for pedestrian traffic. The agency also ran a limited Vehicle Face System pilot at the Anzalduas, Texas port in 2018, which took photos of vehicles in motion and recorded the license plate and an image of the driver’s face.

CBP entered into a contract with Unisys Corporation to design and build the image capture system at Anzalduas, and the contractor in turn hired Perceptics “to install its proprietary facial image capture solution and provide support for associated equipment,” the report states.

In at least three instances—August 31, 2018, November 2, 2018 and January 31, 2019—Perceptics requested access to CBP cameras to perform requested system maintenance, according to the IG. At that time, employees downloaded image data to unencrypted USB drives that were later connected to the company’s internal network.

The downloads were done without CBP authorization and in direct violation of the contract and DHS policy.

This happened “without CBP’s authorization or knowledge,” violating at least three security and privacy protocols established by DHS, according to the IG.

While “Perceptics staff directly violated DHS security and privacy protocols when they downloaded CBP’s sensitive PII from an unencrypted device,” the IG does not let CBP off the hook. “Given Perceptics’ ability to take possession of CBP-owned sensitive data, CBP’s information security practices during the pilot were inadequate to prevent the subcontractor’s actions.”

The data obtained by Perceptics was later compromised in a ransomware attack on the firm’s networks.

No federal government systems were breached in the incident, the IG confirms, but again reiterates that fact does not absolve CBP.

“Additional IT security controls in place during the pilot could have prevented Perceptics from violating contract clauses and using an unencrypted hard drive to access and download biometric images at the pilot site,” the report states.

The IG noted CBP IT security officials took immediate action after the incident, including plugging potential security holes at other ports of entry and initiating “a forensic security assessment in 2019 of all existing cameras and biometric technologies,” ultimately finding “potential security vulnerabilities at four airports conducting similar facial recognition pilots.”

The scale of the breach was relatively minor compared to others—like the 2015 Office of Personnel Management hack that compromised PII on some 21.5 million Americans.

The perpetrators were able to make off with 184,000 images of travelers crossing the U.S. border, at least 19 of which investigators discovered posted to the dark web—an area of the internet not indexed by search engines. While the breach could have significant impact on those individuals—no small matter despite the small scale—the IG cites other, indirect consequences.

“This incident may damage the public’s trust in the government’s ability to safeguard biometric data and may result in travelers’ reluctance to permit DHS to capture and use their biometrics at U.S. ports of entry,” compromising a myriad of other ongoing biometric programs.

The hackers also obtained “an array of contractual documents, program management documents, emails, system configurations, schematics, and implementation documentation related to CBP license plate reader programs,” the report states.

As a result of the incident, Perceptics was suspended from obtaining any “government contracts, subcontracts, grants, loans and other federal assistance programs in June 2019,” the report states. However, that suspension was lifted in September 2019.

“As a part of lifting the suspension, CBP and Perceptics entered into an agreement in an effort to correct the risks identified in CBP’s investigation of the data breach,” the IG wrote, but noted that, “At the conclusion of our fieldwork, Perceptics was no longer working with CBP as either a prime contractor or subcontractor.”

Ultimately, the IG made three recommendations for CBP:

  • Implement all mitigation and policy recommendations to resolve the 2019 data breach identified in CBP’s Security Threat Assessments, including implementing USB device restrictions and applying enhanced encryption methods.
  • Ensure that all additional security controls are implemented on relevant devices at all existing Biometric Entry-Exit program pilot locations.
  • Establish a plan for the Biometric Entry-Exit Program to routinely assess third-party equipment supporting biometric data collection to ensure partners’ compliance with department security and privacy standards.

CBP officials agreed with all three recommendations and provided detailed action plans for meeting them.

These added safeguards will be important as CBP upgrades its license plate reading program.

Since the program’s inception in 2017, CBP has used license plate reading cameras at border crossings to record travelers’ license plates, as well as some limited facial recognition tests. In July, the agency officially expanded the program to include third-party data, including license plate—and potentially facial images—from local governments, law enforcement, and even private sector organizations like banks and parking garages.

The data will be obtained through partnerships and contracts with third-party commercial vendors.

“The LPR commercial aggregator services store, index, and sell access to the images, along with the time and location of the collection. CBP will only have access to images from U.S. based cameras that are part of the commercial aggregator’s services,” according to CBP privacy documents.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.