CBP Breach Disclosed Images Of Travelers' Faces And Vehicle License Plates. Many Unanswered Questions
A security breach at a vendor used by U.S. Customs & Border Patrol (CBP) has disclosed the images of both travelers and vehicles license plates. The Washington Post reported:
"Customs officials said in a statement Monday that the images, which included photos of people’s faces and license plates, had been compromised as part of an attack on a federal subcontractor. CBP makes extensive use of cameras and video recordings at airports and land border crossings, where images of vehicles are captured. Those images are used as part of a growing agency facial-recognition program designed to track the identity of people entering and exiting the United States. Fewer than 100,000 people were impacted, said CBP... Officials said the stolen information did not include other identifying information, and no passport or other travel document photos were compromised..."
Reportedly, CBP learned about the breach on May 31. The newspaper also reported:
"CBP said copies of “license plate images and traveler images collected by CBP” had been transferred to the subcontractor’s company network, violating the agency’s security and privacy rules. The subcontractor’s network was then attacked and breached. No CBP systems were compromised, the agency said."
A reporter posted on Twitter the brief statement by CBP, which was sent to selected news organizations:
"On May 31, 2009, CBP learned that a subcontractor, in violation of CBP policies and without CBP's authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor's company network. The subcontractor's network was subsequently compromised by a malicious cyber-attack. No CBP systems were compromised.
Initial information indicates that the subcontractor violated mandatory security and privacy controls outlined in their contract. As of today, none of the image data has been identified on the Dark Web or internet. CBP has alerted Members of Congress and is working closely with other law enforcement agencies and cybersecurity entities, and its own Office of Professional Responsibility to actively investigate the incident. CBP will unwaveringly work with all partners to determine the extent of the breach and the appropriate response. CBP has removed from service all equipment related to the breach and is closely monitoring all CBP work by the contractor..."
Well, that brief statement is a start... a small start. This security breach is very troubling for several reasons.
First, it seems that CBP was unaware of the contractual violation (e.g., downloaded images) until it was informed of the data breach. That suggests an inadequate contractual agreement between the vendor and CBP; or failures by CBP to monitor and enforce its contracts. That also raises more questions:
- When and which executives at the vendor will be reprimanded for this violation?
- Why did CBP fail to identify the download violation?
- What changes are underway to prevent future violations?
- Why is CBP continuing to use a vendor known to have severely violated its contractual agreement?
- What other vendors have violated CBP contracts?
Second, CBP refused to disclose the name of the vendor. Why? What would this accomplish? Its statement described the breach as a "malicious cyberattack." That seems to warrant disclosure. Were CBP executives caught unprepared?
Thankfully, reporters at the Washington Post continued investigating:
"... a Microsoft Word document of CBP’s public statement, sent Monday to Washington Post reporters, included the name “Perceptics” in the title: “CBP Perceptics Public Statement.” Perceptics representatives did not immediately respond to requests for comment... reporters at The Register, a British technology news site, reported late last month that a large haul of breached data from the firm Perceptics was being offered as a free download on the dark web."
So, we don't know for sure if Perceptics was the CBP vendor. However, the May 23rd article in The Register indicates that Perceptics executives were already aware of the breach. CBP executives should have known about the breach on May 23, too, since the article mentioned both entities. Then, why did the CBP statement say it learned of the breach on May 31st? Something here smells -- arrogance, incompetence, or both.
Third, a check at press time of the CBP website and newsroom failed to find any mentions of the security breach. CBP executives have had since May 31st (or since May 23rd), so why send a statement only to select news organizations? Why not publish that statement on its website, too? Were CBP executives caught unprepared and then rushed a haphazard response? When will the breach investigation report be released?
This is troubling. It suggests either arrogance or unpreparedness. As a taxpayer, my money funds CBP activities. I want to know that my money is being spent effectively.
Fourth, the lack of a detailed breach announcement means many related questions remain unanswered:
- When will CBP notify affected persons? If the vendor will notify affected persons, then CBP must disclose the vendor's name in advance.
- What assistance (e.g., free credit monitoring) will CBP provide affected persons?
- What is the status of the post-breach investigation? It helps to know how attackers broke in so effective fixes can be implemented.
- What other data elements were accessed/stolen? Metadata (e.g., image date and timestamp, border crossing GPS location, entering or exiting USA, vehicle brand and model, number and ages of any passengers in vehicles, etc.) attached to the images can be just as damaging.
- Were any data elements encrypted? If not, why not?
- Can facial images be matched to vehicle plate images, and/or to other data elements? If so, this creates more problems for impacted persons.
- When will fixes be implemented so this doesn't happen again?
- Exactly how many persons were affected, and in what states? Local states' breach notification laws may apply.
- How many of the affected persons are U.S. citizens? If the 100,000 estimate applies to only affected U.S. citizens, then we need to know the true total number of persons impacted by the breach.
- Does the 100,000 estimate refer to facial images only? If so, then exactly how many vehicle license plate images were disclosed?
The statement of "fewer than 100,000 persons impacted" seems vague. A breach investigation should determine two fairly precise items: the number of facial images accessed/stolen, and the number of license plate images accessed/stolen.
Plus, it seems wise to assume more data was stolen during the breach. Why? Consider this report by The Atlantic:
"I would be cautious about assuming this data breach contains only photo data," said Chad Loder, the CEO of Habitu8, a cybersecurity firm that trains other companies on security awareness. The full scope of the breach may be much larger than what CBP revealed in its original statement, he said. In recent years, CBP has asked travelers for fingerprints, facial data, and, recently, even social-media accounts. "If CBP’s contractor was targeted specifically, it’s unlikely that the attacker would have stopped with just photo data..."
If social media passwords were stolen, then affected persons need to know so they can change online passwords. And, elected officials are also asking questions. The Hill reported:
"House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) announced on Monday that his committee would hold hearings next month to examine the collection of biometric information by the Department of Homeland Security (DHS), which includes CBP... Homeland Security Committee ranking member Mike Rogers (R-Ala.), used the breach to criticize DHS’s handling of cybersecurity challenges, saying in a statement to The Hill that "the agency is ill-equipped to handle emerging cyberthreats"... Representative Cedric Richmond (D-La.), the chairman of the House Homeland Security subcommittee on cybersecurity, also called for more answers about the breach, which he said would inform Congress's next steps... Senator Brian Schatz (D-Hawaii), the ranking member of the Senate Commerce Subcommittee on Communications, Technology, Innovation and the Internet, said he thinks the breach merits an investigation by the Office of the Inspector General."
Good suggestion by Senator Schatz. Clearly, there's plenty more news to come. Plenty.