US border agency contractor breached, license plate and travelers’ photos stolen

US Customs and Border Protection (CBP) announced that a hacker may have stolen sensitive data collected by the agency from a subcontractor’s network.

“On May 31, 2019, CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network. The subcontractor’s network was subsequently compromised by a malicious cyber-attack,” the CBP stated and pointed out that it’s systems weren’t compromised.

“Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract. As of today, none of the image data has been identified on the Dark Web or internet.”

What happened?

No details about the hack have been made public.

CBP has not named the contractor, but the statement was delivered to the Washington Post in a file named “CBP Perceptics Public Statement.” This seems to indicate that the contractor is likely Tennessee-based Perceptics, a company that sells vehicle identification and license plate recognition products used by “Border Control, Commercial Vehicle Enforcement, Electronic Toll Collection and Security industries.”

The theory is given added weight by the fact that Perceptics recently confirmed they’ve been breached and, as The Register reported on May 23, the attacker dumped on the dark web 65,000+ files – emails, documents, databases, images, etc. – and folders stolen from them.

The news outfit also confirmed on Monday that among those files are images of license plates belonging to vehicles passing through a number of CBP’s checkpoints on the US border.

“It appears the images were likely collected for troubleshooting or further development of the technology, rather than harvested en masse. There may be more images within the stolen data trove, of course,” The Register’s Shaun Nichols noted and reiterated that the stolen data was downloadable by anyone who could find it on the .onion website set up to host it.

Reactions to and comments on the news

“The issue with subcontractors is that you can’t completely control how they secure their network. You can ask for certifications, financials, controls, attestations; but there is always a limit to how much you can demand. You can’t necessarily walk into their office for a sudden inspection; or force them to use your standard of security because ‘yours are better than theirs.’ So if you choose to use a subcontractor, you also choose to accept the level of risk that comes with it, despite all your controls,” Pierluigi Stella, CTO of Network Box USA, commented for Help Net Security.

“In this case, there is also that murky aspect of the transfer of data. Why did this contract move all our face pictures to their network? What were they trying to do with that data? I have problems with the government keeping that information; I definitely have big issues with a private corporation doing so. Someone here needs to explain to us why that data was moved to the network of a private government subcontractor, to what end, what were they doing with that data? Let alone that now they lost it. What were they doing with it in the first place? Why did they practically steal it (the statement says they were not authorized to have that data).”

Tyler Owen, director of solution engineering at CipherCloud, noted that, aside from performing appropriate due diligence on all parties that have access to their data, the CBP should have technology in place to notice when sensitive data is being exfiltrated from their systems.

Robert Cattanach, a partner at the international law firm Dorsey & Whitney, told Help Net Security that unless a traveler can prove that they have been harmed by the disclosure of their information and location at a border or airport, there is very little anyone can do once their information has been stolen and made available on the dark web.

“US Courts have been reluctant to award damages absent a showing of specific and concrete harm. California’s newly enacted Consumer Privacy Act (CCPA) – which comes into effect January 1, 2020 – may change all that, at least for businesses that allow personal information to be accessed without authorization. The CCPA awards statutory penalties that are almost certain to be recognized as sufficient harm to consumers to justify an award of damages to the consumer because of the compromise, and most importantly, private class actions to make recovery easier,” he explained.

“The CCPA does not apply to the US Government, and more robust federal privacy protections have been repeatedly stalled in Congress. Rapidly evolving technology that collects vast amounts of individual data, coupled with the dramatic cultural differences between various countries that collect it, make this an even more challenging problem for individuals and their political systems to reconcile.”

Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union (ACLU), pointed out that this breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travelers, including license plate information and social media identifiers.

“This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices. The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place,” she added.