Customs and Border Protection “did not adequately safeguard sensitive data on an unencrypted device” before the 2019 Perceptics hack that compromised about 100,000 travelers’ images and 105,000 license plate images from CBP’s facial recognition pilot, the Department of Homeland Security’s Office of Inspector General found.
At least 19 of the facial images were confirmed by CBP to have been posted on the dark web, underscoring how the hack could damage public trust, OIG wrote in its report, noting, “As facial recognition technology advances, facial images, like those in this data breach, could be used in unauthorized ways to learn more information about travelers whose biometrics are captured by the Department.”
CBP said in June 2019 that images of travelers and vehicles collected at unspecified locations and illicitly transferred to a subcontractor’s network were stolen in a data breach. The agency said it learned May 31 that “a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network.”
CBP did not elaborate on the extent of the breach at the time, but said then that “as of today, none of the image data has been identified on the Dark Web or internet” and “no CBP systems were compromised.”
In May 2019, UK IT site The Register reported that Tennessee-based Perceptics was hacked and 65,000 of its files were available for free download on the dark web. The company confirmed to The Register at the time, the site said, that its network had been compromised but declined to elaborate.
In August 2019, Perceptics CEO John Dalton wrote at HSToday that the cyber intrusion was “devastating” and said he believed his company would “come out of this with a clean record in the end.”
“Unequivocally, I believe we have acted within the scope of our contracts, with reasonable and ethical behavior, and have worked hard to do the right thing,” Dalton said. “We were attacked, and we have hardened against potential future attacks and have been open, honest and forthright through this devastating time of uncertainty.”
The OIG review found that Perceptics, which was subcontracting for Unisys on a Vehicle Face System (VFS) pilot at the Anzalduas, Texas, Port of Entry, obtained access and transferred biometric data to its own company network between August 2018 and January 2019 “without CBP’s authorization or knowledge.”
“DHS requires subcontractors to protect PII from identity theft or misuse. However, in this case, Perceptics staff directly violated DHS security and privacy protocols when they downloaded CBP’s sensitive PII from an unencrypted device and stored it on their own network,” OIG wrote. “Given Perceptics’ ability to take possession of CBP-owned sensitive data, CBP’s information security practices during the pilot were inadequate to prevent the subcontractor’s actions.”
Perceptics gained the access to CBP’s data by submitting work order tickets through the CBP information technology (IT) help desk in August 2018, November 2018, and January 2019 to provide maintenance on cameras and other related equipment. “Once the tickets were approved by CBP and Unisys, Perceptics personnel performed the requested system maintenance work at the pilot site, but also used the access to download images from the system,” the report said. “None of the tickets authorized Perceptics to access or download images from the equipment.”
Perceptics personnel downloaded the data on an unencrypted USB hard drive that was taken back to their corporate office in Knoxville, Tenn., where the images were uploaded to the company’s server “to improve performance.” OIG said Unisys “chose not to inform CBP immediately of the data breach,” and “CBP found out about the data breach from a news article approximately 1 week after Perceptics notified Unisys.”
The May 2019 ransomware attack took not only the images but “an array of contractual documents, program management documents, emails, system configurations, schematics, and implementation documentation related to CBP license plate reader programs.”
CBP reacted to the incident by removing from service all equipment involved in the breach, canceling Perceptics’ employee access to CBP information systems and data; and requiring Unisys to terminate its contract with Perceptics. The company was temporarily suspended from federal contract work, but in September 2019 Perceptics was eligible to again participate as a contractor in the federal procurement process.
In total, about 184,000 images of travelers were compromised, but after weeding out duplicate images CBP said the images of about 100,000 individuals were compromised. During CBP’s investigation, the agency learned that the company had previously obtained more than 105,000 license plate images from prior pilots and stored them on their server longer than the allowed one-year period.
“Perceptics was able to make unauthorized use of CBP’s biometric data, in part because CBP did not implement all available IT security controls, including an acknowledged best practice. Additional IT security controls in place during the pilot could have prevented Perceptics from violating contract clauses and using an unencrypted hard drive to access and download biometric images at the pilot site,” OIG wrote. “Following the data breach, CBP’s Chief Information Security Officer acknowledged the equipment vulnerabilities at this pilot location in Anzalduas, TX. Accordingly, CBP took swift action to prevent unauthorized access to, or removal of, data. Specifically, CBP disabled all USB capabilities to help prohibit further unauthorized access to pilot data. Additionally, approximately 4 months after the breach, CBP staff said they performed all needed software updates to support encryption of equipment similar to that used for the pilot.” CBP also “took immediate steps to review possible IT vulnerabilities at other locations with ongoing biometric pilot efforts.”
The report noted that CBP’s post-breach assessments “identified potential security vulnerabilities at four airports conducting similar facial recognition pilots.”
“CBP ultimately made 10 mitigation recommendations and 3 policy recommendations based on these assessments to protect against unauthorized access to data from cameras and related equipment used for biometric confirmation,” OIG said. “One key recommendation was to ensure implementation of USB device restrictions and to apply enhanced encryption methods.” CBP also sent a memo requiring all IT contractors to sign statements guaranteeing compliance with contract terms related to IT and data security.
OIG recommended that CBP’s Assistant Commissioner for the Office of Information and Technology “implement all mitigation and policy recommendations to resolve the 2019 data breach identified in CBP’s Security Threat Assessments, including implementing USB device restrictions and applying enhanced encryption methods,” that the Deputy Executive Assistant Commissioner, Office of Field Operations “coordinate with the CBP Office of Information and Technology to ensure that all additional security controls are implemented on relevant devices at all existing Biometric Entry-Exit program pilot locations,” and that the Deputy Executive Assistant Commissioner, Office of Field Operations “establish a plan for the Biometric Entry-Exit Program to routinely assess third-party equipment supporting biometric data collection to ensure partners’ compliance with Department security and privacy standards.”
CBP concurred and requested that the three recommendations be closed as they have been implemented.
The DHS Office of Biometric Identity Management maintains the Automated Biometric Identification System, which contains the biometric data repository of more than 250 million people and can process more than 300,000 biometric transactions per day. DHS components using biometrics are CBP, the Transportation Security Administration (TSA), United States Secret Service, U.S. Immigrations and Customs Enforcement, and U.S. Citizenship and Immigration Services.
As of April 2019, CBP had processed 19,829 flights and 2.8 million travelers across 19 airports through its biometric program.