You don’t have to be hacked to lose control of your sensitive data.

That truth was brought home again this month when it was revealed that information gathered by the United States Customs and Border Protection (CBP), the largest federal law enforcement agency at the Department of Homeland Security, had leaked onto the internet.

And how had the data leaked? The CBP wasn’t hacked. Instead, a subcontracting company working for the CBP had copied onto its own network the digital photos of “fewer than 100,000” travellers and license plates as they made their way through a land border crossing onto its own network.

The copying of the data, which was done without the knowledge or authorisation or the CBP, would normally be bad enough. But what made things worse is that the subcontracting company, Perceptics, was then hacked.

The result? Not only were the photographs now in the hands of hackers but, as Gizmodo reports, more than 400 GB of other data stolen from Perceptics’ network – including databases, spreadsheets, HR records, business plans, financial figures, as well as personal information.

The stolen data has been distributed via torrent sites, and is now available for anyone to download from the web if they know where to look.

It’s clear that whoever hacked Perceptics weren’t picky about what they took, as there were even MP3 music files scooped up from workers’ desktops, including “Superstition” by Stevie Wonder, “Wannabe” by the Spice Girls, and a variety of AC/DC and Cat Stevens songs.

The CBP hasn’t confirmed or denied that Perceptics was the hacked subcontractor, but it did say “the subcontractor violated mandatory security and privacy protocols outlined in their contract.”

“We’re making these files available for public review because they provide an unprecedented and intimate look at the mass surveillance of legal travel, as well as more local surveillance of turnpike and secure facilities,” said journalist Emma Best, one of the team which has chosen to share the vast amount of breached data online. “Most importantly they provide a glimpse of how the government and these companies protect our information—or, in some cases, how they fail to.”

Lesson? Your organisation may take security and privacy seriously, but if you have subcontractors and partners who are more lax about how they protect their network then it might be your data that ends up for anyone to read on the internet.

To hear more about this case, be sure to check out the episode of “Smashing Security” podcast we released earlier this month:

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.