Photos of travelers crossing U.S. border exposed in cyberattack

With growing use of biometrics at the border, are we leaving our personal data exposed to hacking?

A U.S. border patrol database of traveler photos and license plates has been compromised as part of a malicious cyberattack, according to U.S. Customs and Border Protection officials.

The Washington Post first reported the incident involving a federal subcontractor, which transferred the images from CBP databases to their company network without the federal agency’s knowledge or authorization. Hackers then breached the subcontractor’s network. CBP systems were not hacked.

The images contained approximately 100,000 people in vehicles entering and exiting the U.S. over six weeks through a single port of entry, one U.S. government official told The Post. No other identifying information was included with the photos, and no passport or other travel document photos were compromised, the official said.

CBP operates and maintains a database of visa and passport photos as part of a facial recognition system to streamline traveler verification at their ports of entry and exit. The federal law enforcement agency also makes extensive use of cameras and video recordings at the arrival halls of international airports as well as land border crossings, where images of vehicles are captured.

The agency declined to name the breached subcontractor to The Post, but CBP officials sent the news organization a Microsoft Word document titled “CBP Perceptics Public Statement.”

A breach at Perceptics, a Tennessee-based company that builds and sells license plate readers, was reported by The Register on May 23. The breach contained hundreds of gigabytes of internal email archives and time-stamped jpegs (presumed to be license plate photos). It’s unclear whether this breach reported by the government was the same incident.

CBP has alerted members of Congress and is working with law enforcement and cybersecurity entities, and its own Office of Professional Responsibility to investigate the breach.

On a typical day, U.S. Customs and Border Protection screens more than 1 million international travelers and is scrambling to deploy a “biometric entry-exit system” at the top 20 U.S. airports by 2020 thanks to an executive order by President Trump. Despite questionable biometric confirmation rates and legal protections, CBP intends to use facial recognition technology on travelers aboard 16,300 flights per week—or more than 100 million passengers traveling on international flights out of the United States.

Facial recognition continues to spark fiery debates over privacy and security concerns. San Francisco, one of the most tech-savvy places, is the first major city to ban facial recognition by local government and law enforcement agencies. Other jurisdictions like New York City are following suit.

Privacy and security experts have long questioned the government’s ability to safeguard the public’s stockpile of private data. Lawmakers and civil liberties advocates demand action and further examination of the collected biometric data by the Department of Homeland Security, which includes CBP.

Luis Corrons, an Avast security evangelist, says CBP’s use of such data is nothing new.  “CBP has been collecting biometric data from every visitor who comes into the U.S. for ages. They take pictures and fingerprints of every non-citizen entering the country, even requiring the details of social media accounts. If the government takes the data, it is responsible for safeguarding it.”

CBP has yet to offer an explanation of their current policies around data sharing of biometric data with participating companies and third-party firms. Combined with these recent hacks, doubts will only continue to rise around DHS and CBP’s surveillance and data security practices.

Related articles