U.S. Customs and Border Protection has confirmed a data breach has exposed the photos of travelers and vehicles traveling in and out of the United States.
The photos were transferred to a subcontractor’s network and later stolen through a “malicious cyberattack,” a CBP spokesperson told TechCrunch in an email.
CBP’s networks were unaffected by the breach.
“CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” said an agency statement.
“Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract,” the statement read.
The agency first learned of the breach on May 31.
When asked, a spokesperson for CBP didn’t say how many photos were taken in the breach or if U.S. citizens were affected. The agency also didn’t name the subcontractor.
The breach comes weeks after a report said Perceptics, a government contractor, which claims to be the “sole provider” of license plate readers at U.S. land borders, was breached and its data was dumped on the dark web. It’s not yet known if the two incidents are linked. But according to the Washington Post, a Microsoft Word document containing the statement included “Perceptics” in the title. (TechCrunch received the statement as text in an email.)
CBP, however, said that ‘none of the image data has been identified on the Dark Web or internet.”
A spokesperson for Perceptics did not immediately comment.
It remains unclear exactly what kind of photos were taken, such as if the images were collected directly from CBP officers by visitors entering the U.S. or part of the agency’s rollout of facial recognition technology at U.S. ports of entry.
The Post later reported that airport operations were not affected by the breach, suggesting the stolen data came from land crossings. A report in The New York Times, citing a government official, said “no more” than 100,000 images were stolen.
A CBP spokesperson did not return a follow-up email.
The agency, which processes more than a million travelers entering the U.S. every day, maintains a database of traveler images, including passport and visa photos. The database has come under fire from a federal watchdog, which said the accuracy of the system was subpar.
CBP said it had notified members of Congress and is “closely monitoring” CBP-related work by the subcontractor.
Ron Wyden, a Democratic senator vocal on national security issues, said the government “needs to explain exactly how it intends to prevent this kind of breach from happening in the future.”
“This incident should be a lesson to those who have supported expanding government surveillance powers – these vast troves of Americans’ personal information are a ripe target for attackers,” said Wyden.
News of the CBP breach has drawn ire from the civil liberties crowd, which have long opposed the collection of facial recognition at the border.
In remarks, ACLU senior legislative counsel Neema Singh Guliani said the breach “further underscores the need to put the brakes” on the government’s facial recognition efforts.
“The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place,” she said.
Powered by WPeMatico