US border data breach exposes images of travelers and vehicles

US border data breach exposes images of travelers and vehicles

The US Customs and Border Protection (CBP) agency has confirmed a data breach has exposed the photos of people and vehicles traveling across the US border.

A spokesperson for the agency has said that the security incident affected “fewer than 100,000 people” through a “few specific lanes at a single land border” over a period of around 45 days

“No passport or other travel document photographs were compromised and no images of airline passengers from the air entry/exit process were involved,” a spokesperson for the agency.

The photos were transferred to a subcontractor’s network and later stolen through a “malicious cyberattack”, a CBP spokesperson confirmed with website, TechCrunch, yesterday.

The agency said in a statement: “CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network.

“Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract.”

The agency did not name the subcontractor and its networks were unaffected by the breach, but did say that so far “none of the image data has been identified on the Dark Web or internet”.

This new breach comes after government contractor, Perceptics, was recently breached and the data dumped on the dark web. It’s not yet known if the two incidents are linked.

The exact nature of the visitor images still remains unclear – whether they were taken directly by CBP officers or as part of the agency’s rollout of facial recognition technology at border and entry crossing points.

John Gunn, CMO of security software company, OneSpan, commented on the hack: “Biometric technology is too often misrepresented by the media and certain fanatics as a Big-Brother conspiracy. It is not a panacea; it is a developing technology that is imperfect and has weaknesses and vulnerabilities like every technological advance in our history, but the net sum gain of its use is indisputably positive.

“Opponents argue that any potential misuse or compromise should disqualify the use of biometrics, but using this flawed logic would mean that all law enforcement officers’ should be stripped of their firearms because they are sometimes taken or misused by criminals. Like any tool used against criminal activities, biometric technology must be applied intelligently and with proper safeguards.”

Robert Cattanach is a partner at the international law firm Dorsey & Whitney, he commented: “US Customs and Border Protection admitted that photos of travelers, along with license plate information, were compromised when one of CBP’s contractors was hacked in a cyber attack. Advanced facial recognition technology, and rapidly growing data bases on all individuals, can easily identify people based on cameras and video recordings at borders and airports.

“Unless a traveler can prove that they have been harmed somehow by the disclosure of their information and location at a border or airport, however, there is very little anyone can do once their information has been stolen, and then often made available on the dark web. US Courts have been reluctant to award damages absent a showing of specific and concrete harm. California’s newly enacted Consumer Privacy Act (CCPA) – which comes into effect January 1, 2020 – may change all that, at least for businesses that allow personal information to be accessed without authorization. The CCPA awards statutory penalties that are almost certain to be recognized as sufficient harm to consumers to justify an award of damages to the consumer because of the compromise, and most importantly, private class actions to make recovery easier.

“The CCPA does not apply to the US Government, and more robust federal privacy protections have been repeatedly stalled in Congress. Rapidly evolving technology that collects vast amounts of individual data, coupled with the dramatic cultural differences between various countries that collect it, make this an even more challenging problem for individuals and their political systems to reconcile.”