The US Customs and Border Protection (CBP) agency has confirmed that photos of travellers and license plates have been compromised in a data breach.
Officials released a statement Monday revealing a federal subcontractor suffered a “malicious cyberattack” that involved images of people’s faces and vehicle license plates taken by CBP at a single land border entry point, according to The Washington Post.
CBP says the images are used as part of a facial recognition programme designed to track people entering and exiting the US.
The agency says fewer than 100,000 people were impacted by the data breach, but the attackers did not obtain any identifying information such as passport or travel document details.
It learned of the breach on 31 May but has not said which subcontractor was involved.
However, The Washington Post claims to have seen a document of CBP’s public statement, which included the name of a company called Perceptics. An earlier report from British technology news site The Register claims it found a quantity of data stolen from Perceptics available as a free download on the ‘dark web’.
CBP has admitted that copies of the images of faces and license plates were transferred to the subcontractor’s network, which is in breach of the agency’s own security and privacy rules. The subcontractor’s systems were hacked following this data transfer.
Commenting on the breach, Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, said: “What is strange in this story is the timing. Just after the unwarranted transfer of confidential data to the subcontractor’s network, they suddenly got hacked as if someone has been purposefully waiting for this. Of course, we may suppose that the subcontractor had been breached and backdoored for a while already, but this puts in question the vetting process at CBP when selecting suppliers to handle sensitive data. In any case, it is imperative that CBP conducts an internal audit on their suppliers to review how the latter enforce internal security and data handling procedures.”
Members of the US Congress have since raised concerns over whether the government’s use of surveillance technology puts citizens’ constitutional rights in jeopardy and opens millions of people to the danger of identity theft.
The breach could raise questions about the security of other facial recognition and biometric programmes taking place at airports across the world, including Delta’s biometric terminal in Atlanta, Heathrow’s e-passport gates and a British Airways trial in Orlando, Los Angeles, Miami and New York.