A recent breach of U.S. Customs and Border Protection traveler photo and license plate data has led experts to condemn the collection and storage of facial recognition data.

UPDATE

The U.S. Customs and Border Protection said that a recent data breach exposed photos of the faces and license plates for more than 100,000 travelers driving in and out of the country.

The department said Monday that the breach stemmed from an attack on a federal subcontractor. Customs and Border Protection (CBP) said it learned of the breach on May 31, and that the data collected – photos of travelers and their license plates who were entering and exiting the U.S. in vehicles – extended over a six week period.

“On May 31, 2019, CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” a CBP spokesperson told Threatpost. “The subcontractor’s network was subsequently compromised by a malicious cyber-attack. No CBP systems were compromised.”

Initial reports indicate that the traveler images involved fewer than 100,000 people; photographs were taken of travelers in vehicles entering and exiting the United States through a few specific lanes at a single land border Port of Entry over a 1.5 month period, a CBP spokesperson told Threatpost in an email.

While CBP did not specify the subcontractor, in May, the Register reported that vehicle license plate reader company Perceptics was hacked and its files were dumped online. And, the Washington Post said that an emailed statement sent to reporters included a title: “CBP Perceptics Public Statement.”

According to Perceptics’ website, its technology is utilized for border security, electronic toll collection, and commercial vehicle security, and collects data from images on license plates – such as state, plate number, plate type and time stamps – as well as driver images. A recent Perceptics news release said that its license plate readers were installed at 43 U.S. Border Patrol check point lanes in Texas, New Mexico, Arizona, and California.

It’s unclear as of Tuesday whether the Perceptics breach is separate or related to the CBP data hack; Perceptics did not respond to a request for comment from Threatpost.

However, “initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract,” CBP said in its statement. “As of today, none of the image data has been identified on the Dark Web or internet. CBP has alerted members of Congress and is working closely with other law enforcement agencies and cybersecurity entities, and its own Office of Professional Responsibility to actively investigate the incident. CBP will unwaveringly work with all partners to determine the extent of the breach and the appropriate response.”

The CBP spokesperson said the department has also removed from service all equipment related to the breach and is closely monitoring all CBP work by the subcontractor.

“CBP requires that all contractors and service providers maintain appropriate data integrity and cybersecurity controls and follow all incident response notification and remediation procedures,” said the spokesperson. “CBP takes its privacy and cybersecurity responsibilities very seriously and demands all contractors to do the same.”

Beyond license plate and image data, “no other identifying information was included with the images,” the CBP spokesperson said. “No passport or other travel document photographs were compromised and no images of airline passengers from the air entry/exit process were involved.”

The said “air entry/exit process” refers to CBP’s “Biometric Exit” program introduced in 2015, which scans passenger faces and matches them with photos that the government has on file. The program is currently operational in 17 locations.

And while officials say the Biometric Exit program wasn’t involved in the hack, the CBP data breach is bringing this use case of facial recognition – and other use cases – under fire by privacy experts.

“This breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travelers, including license plate information and social media identifiers,” Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union said in a statement. “This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices. The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place.”

Facial Recognition

The CBD data breach heightens concerns about the security of stored data – and it’s not the first time biometric data has come under attack. The 2015 Office of Personnel Management data breach, which resulted in the theft of fingerprint data of 5.6 million, first brought about concerns for biometrics security.

The issue of biometrics and security meanwhile comes as facial recognition is being actively used by police forces and even at the White House. And it’s not just the U.S; biometrics are spreading worldwide. The EU in April approved a massive biometrics database that combines data from law enforcement, border patrol and more for both EU and non-EU citizens.

“A controversial topic right now is the abuse of facial recognition and license plate tracking software to improperly surveil the general population,” Dan Tuchler, CMO at SecurityFirst said. “We don’t want to live in a police state. With the theft of photos of people entering or exiting the country, will hackers use these photos in combination with other data to create problems for citizens and travelers? Once again it is a partner that was hacked. Every responsible organization needs to be vigilant and ensure that their partners are securing vital data.”

Making matters worse, when it comes to the collection, storage and sharing of biometrics, it’s a “Wild West”, Adam Schwartz, senior staff attorney with the Electronic Frontier Foundation’s civil liberties team recently told Threatpost.

“More and more of our biometric information is being shared among various private and government actors and ending up in databases,” Schwartz told Threatpost. “Those involve tremendous risk because for one, thieves can steal the data; and two, employees can misuse the data.”

Tim Mackey, principal security strategist CyRC at Synopsys said that due to the nature of the data involved in cross border activities, “CBP and its sub-contractors are a prime target for malicious actors seeking to disrupt travel and trade between the US and its partners.”

“In the case of this breach, CBP disclosed sensitive image data relating to border crossings was transferred from CBP to one of its sub-contractors contrary to CBP policies,” he said. “From an IT governance perspective, this data transfer calls into question the level of authorization required for data transfer between systems connected to a CBP network and serves as a lesson for everyone running an IT system with access to sensitive data.”

Public concern has also increased when it comes to facial recognition: A recent Threatpost poll found that more than half of poll respondents have negative feelings toward facial recognition due to issues related to privacy and security – while 30 percent more said they have “mixed” feelings, understanding both the benefits and privacy concerns.

“Any disclosure of traveler information is obviously concerning to anyone who has crossed the US border recently, but should be looked at through the lens of how the evolution of technology is occurring at our border,” said Mackey. “With Trusted Traveler programs like Global Entry, Nexus and Mobile Passports becoming the norm for frequent travelers and with pilot programs using facial recognition systems occurring with some airlines, public confidence in the security of traveler data and cross border commerce is paramount.”

Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.

This article was updated on June 11 at 10 AM EST with further comments from the CBP.