Customs and Border Protection said today that images of travelers and vehicles collected at unspecified locations and illicitly transferred to a subcontractor’s network were stolen in a data breach.
CBP did not elaborate on the extent of the breach, but said that “as of today, none of the image data has been identified on the Dark Web or internet” and “no CBP systems were compromised.”
In a statement, the agency said it learned May 31 that “a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network.”
“The subcontractor’s network was subsequently compromised by a malicious cyber-attack,” CBP continued. “Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract.”
Members of Congress have been alerted, and CBP said it is “working closely with other law enforcement agencies and cybersecurity entities, and its own Office of Professional Responsibility to actively investigate the incident.”
“CBP will unwaveringly work with all partners to determine the extent of the breach and the appropriate response,” the statement continued. “CBP has removed from service all equipment related to the breach and is closely monitoring all CBP work by the subcontractor. CBP requires that all contractors and service providers maintain appropriate data integrity and cybersecurity controls and follow all incident response notification and remediation procedures. CBP takes its privacy and cybersecurity responsibilities very seriously and demands all contractors to do the same.”
CBP did not name the subcontractor, but the Washington Post said their reporters received a Word copy of the CBP statement on the data breach that used the title “CBP Perceptics Public Statement.” CBP spokeswoman Jackie Wren said she was “unable to confirm” whether Perceptics, which provides license plate readers at all land border crossings in the U.S., was the company involved.
In May, UK IT site The Register reported that Tennessee-based Perceptics was hacked and 65,000 of its files were available for free download on the dark web. The company confirmed to The Register at the time, the site said, that its network had been compromised but declined to elaborate.
House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) said he plans to hold hearings next month on the Department of Homeland Security’s use of biometric information.
“We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public,” Thompson said.