Published on June 11th, 2019 📆 | 6334 Views ⚑
0US border agency contractor breached, license plate and travelers’ photos stolen
US Customs and Border Protection (CBP) announced that a hacker may have stolen sensitive data collected by the agency from a subcontractorâs network.
âOn May 31, 2019, CBP learned that a subcontractor, in violation of CBP policies and without CBPâs authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractorâs company network. The subcontractorâs network was subsequently compromised by a malicious cyber-attack,â the CBP stated and pointed out that itâs systems werenât compromised.
âInitial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract. As of today, none of the image data has been identified on the Dark Web or internet.â
What happened?
No details about the hack have been made public.
CBP has not named the contractor, but the statement was delivered to the Washington Post in a file named âCBP Perceptics Public Statement.â This seems to indicate that the contractor is likely Tennessee-based Perceptics, a company that sells vehicle identification and license plate recognition products used by âBorder Control, Commercial Vehicle Enforcement, Electronic Toll Collection and Security industries.â
The theory is given added weight by the fact that Perceptics recently confirmed theyâve been breached and, as The Register reported on May 23, the attacker dumped on the dark web 65,000+ files â emails, documents, databases, images, etc. â and folders stolen from them.
The news outfit also confirmed on Monday that among those files are images of license plates belonging to vehicles passing through a number of CBPâs checkpoints on the US border.
âIt appears the images were likely collected for troubleshooting or further development of the technology, rather than harvested en masse. There may be more images within the stolen data trove, of course,â The Registerâs Shaun Nichols noted and reiterated that the stolen data was downloadable by anyone who could find it on the .onion website set up to host it.
Reactions to and comments on the news
âThe issue with subcontractors is that you canât completely control how they secure their network. You can ask for certifications, financials, controls, attestations; but there is always a limit to how much you can demand. You canât necessarily walk into their office for a sudden inspection; or force them to use your standard of security because âyours are better than theirs.â So if you choose to use a subcontractor, you also choose to accept the level of risk that comes with it, despite all your controls,â Pierluigi Stella, CTO of Network Box USA, commented for Help Net Security.
âIn this case, there is also that murky aspect of the transfer of data. Why did this contract move all our face pictures to their network? What were they trying to do with that data? I have problems with the government keeping that information; I definitely have big issues with a private corporation doing so. Someone here needs to explain to us why that data was moved to the network of a private government subcontractor, to what end, what were they doing with that data? Let alone that now they lost it. What were they doing with it in the first place? Why did they practically steal it (the statement says they were not authorized to have that data).â
Tyler Owen, director of solution engineering at CipherCloud, noted that, aside from performing appropriate due diligence on all parties that have access to their data, the CBP should have technology in place to notice when sensitive data is being exfiltrated from their systems.
Robert Cattanach, a partner at the international law firm Dorsey & Whitney, told Help Net Security that unless a traveler can prove that they have been harmed by the disclosure of their information and location at a border or airport, there is very little anyone can do once their information has been stolen and made available on the dark web.
âUS Courts have been reluctant to award damages absent a showing of specific and concrete harm. Californiaâs newly enacted Consumer Privacy Act (CCPA) â which comes into effect January 1, 2020 â may change all that, at least for businesses that allow personal information to be accessed without authorization. The CCPA awards statutory penalties that are almost certain to be recognized as sufficient harm to consumers to justify an award of damages to the consumer because of the compromise, and most importantly, private class actions to make recovery easier,â he explained.
âThe CCPA does not apply to the US Government, and more robust federal privacy protections have been repeatedly stalled in Congress. Rapidly evolving technology that collects vast amounts of individual data, coupled with the dramatic cultural differences between various countries that collect it, make this an even more challenging problem for individuals and their political systems to reconcile.â
Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union (ACLU), pointed out that this breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travelers, including license plate information and social media identifiers.
âThis incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agencyâs data practices. The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place,â she added.
Gloss