Securing The Nation With Insecure Databases: CBP Vendor Hacked, Exposing Thousands Of License Plate, Car Passenger Photos

from the guess-you-have-to-give-up-some-security-to-gain-some-security? dept

US Customs and Border Protection has suffered an inevitability in the data collection business. The breach was first reported by the Washington Post. It first appeared to affect the DHS's airport facial recognition system, but further details revealed it was actually a border crossing database that was compromised.

The breach involved photos of travelers and their vehicles, which shows the CPB is linking people to vehicles with this database, most likely to make it easier to tie the two together with the billions of records ICE has access to through Vigilant's ALPR database.

The breach involved a contractor not following the rules of its agreement with the CBP. According to the vendor agreement, all harvested data was supposed to remain on the government's servers. This breach targeted the vendor, which means the contractor had exfiltrated photos and plate images it was specifically forbidden from moving to its own servers.

According to reports from other news agencies, the breach likely involve Perceptics, a Tennessee-based manufacturer of stationary license plate readers. The Register first reported a breach there on May 23, after being contacted by a hacker possibly involved with the attack on the company's servers. The CBP claims it was not aware of this breach until May 31. But this piece of info from the Register's article seems to indicate Perceptics may be the vendor the agency has refused to name.

Perceptics recently announced, in a pact with Unisys Federal Systems, it had landed "a key contract by US Customs and Border Protection to replace existing LPR technology, and to install Perceptics next generation License Plate Readers (LPRs) at 43 US Border Patrol check point lanes in Texas, New Mexico, Arizona, and California."

This is all but confirmed in the Washington Post's report, which contains another link to Perceptics the CBP has refused to officially confirm.

CBP would not say which subcontractor was involved. But a Microsoft Word document of CBP’s public statement, sent Monday to Washington Post reporters, included the name “Perceptics” in the title: “CBP Perceptics Public Statement.”

No personal info was included in the breach, which the CBP said affected about 100,000 travelers entering and exiting the US through a single point of entry. It also claims it hasn't seen any of the data surface on the light or dark web, so there's that, if that statement is actually true.

This news has prompted many reactions, including some very obvious ones: first and foremost, the easiest way to minimize the damage of inevitable data breaches is to not harvest so much damn data. Unfortunately, the DHS's plans only involve expansion of its existing collection programs, including a larger rollout of its airport biometric scanning and its new mandatory collection of social media info from incoming foreigners.

It's pretty tough to secure a nation when you can't secure a database. This breach may have been the result of a vendor breaking the rules, but the Office of Personnel Management breach proves the US government isn't immune from these attacks. The more you gather and store in one place, the more often you'll be targeted by enemies foreign and domestic.

Finally, the incident has angered a handful of Congressional reps.

House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) announced on Monday that his committee would hold hearings next month to examine the collection of biometric information by the Department of Homeland Security (DHS), which includes CBP. Thompson also noted that he wants to ensure “we are not expanding the use of biometrics at the expense of the privacy of the American public.” Homeland Security Committee ranking member Mike Rogers (R-Ala.), used the breach to criticize DHS’s handling of cybersecurity challenges, saying in a statement to The Hill that “the agency is ill-equipped to handle emerging cyberthreats.” “The data breach resulted from a contractor acting improperly and against agency policy,” Rogers said. “We need to take steps to ensure this does not happen again.”

Ensuring contractors follow the rules isn't really a solution. It may reduce the number of attack vectors, but it doesn't address the underlying issue: we're collecting more data on people than ever before and breaches are not a matter of "if," but "when." Until Congress gets serious about scaling back these massive collections, these will remain popular targets with the potential to cause a tremendous amount of harm to the millions of people who pass through our borders and airports.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: alpr, cbp, hacked, license plates, photos, privacy

Companies: perceptics