Court to Big Fracking Company: Trespassing Still Exists — Even For You
Leading Manufacturer Reverses Its Position on Paperless Voting Machines

CBP Breach Disclosed Images Of Travelers' Faces And Vehicle License Plates. Many Unanswered Questions

United States Customs and Border Patrol logo A security breach at a vendor used by U.S. Customs & Border Patrol (CBP) has disclosed the images of both travelers and vehicles license plates. The Washington Post reported:

"Customs officials said in a statement Monday that the images, which included photos of people’s faces and license plates, had been compromised as part of an attack on a federal subcontractor. CBP makes extensive use of cameras and video recordings at airports and land border crossings, where images of vehicles are captured. Those images are used as part of a growing agency facial-recognition program designed to track the identity of people entering and exiting the United States. Fewer than 100,000 people were impacted, said CBP... Officials said the stolen information did not include other identifying information, and no passport or other travel document photos were compromised..."

Reportedly, CBP learned about the breach on May 31. The newspaper also reported:

"CBP said copies of “license plate images and traveler images collected by CBP” had been transferred to the subcontractor’s company network, violating the agency’s security and privacy rules. The subcontractor’s network was then attacked and breached. No CBP systems were compromised, the agency said."

A reporter posted on Twitter the brief statement by CBP, which was sent to selected news organizations:

"On May 31, 2009, CBP learned that a subcontractor, in violation of CBP policies and without CBP's authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor's company network. The subcontractor's network was subsequently compromised by a malicious cyber-attack. No CBP systems were compromised.

Initial information indicates that the subcontractor violated mandatory security and privacy controls outlined in their contract. As of today, none of the image data has been identified on the Dark Web or internet. CBP has alerted Members of Congress and is working closely with other law enforcement agencies and cybersecurity entities, and its own Office of Professional Responsibility to actively investigate the incident. CBP will unwaveringly work with all partners to determine the extent of the breach and the appropriate response. CBP has removed from service all equipment related to the breach and is closely monitoring all CBP work by the contractor..."

Well, that brief statement is a start... a small start. This security breach is very troubling for several reasons.

First, it seems that CBP was unaware of the contractual violation (e.g., downloaded images) until it was informed of the data breach. That suggests an inadequate contractual agreement between the vendor and CBP; or failures by CBP to monitor and enforce its contracts. That also raises more questions:

  • When and which executives at the vendor will be reprimanded for this violation?
  • Why did CBP fail to identify the download violation?
  • What changes are underway to prevent future violations?
  • Why is CBP continuing to use a vendor known to have severely violated its contractual agreement?
  • What other vendors have violated CBP contracts?

Second, CBP refused to disclose the name of the vendor. Why? What would this accomplish? Its statement described the breach as a "malicious cyberattack." That seems to warrant disclosure. Were CBP executives caught unprepared?

Thankfully, reporters at the Washington Post continued investigating:

"... a Microsoft Word document of CBP’s public statement, sent Monday to Washington Post reporters, included the name “Perceptics” in the title: “CBP Perceptics Public Statement.” Perceptics representatives did not immediately respond to requests for comment... reporters at The Register, a British technology news site, reported late last month that a large haul of breached data from the firm Perceptics was being offered as a free download on the dark web."

So, we don't know for sure if Perceptics was the CBP vendor. However, the May 23rd article in The Register indicates that Perceptics executives were already aware of the breach. CBP executives should have known about the breach on May 23, too, since the article mentioned both entities. Then, why did the CBP statement say it learned of the breach on May 31st? Something here smells -- arrogance, incompetence, or both.

Third, a check at press time of the CBP website and newsroom failed to find any mentions of the security breach. CBP executives have had since May 31st (or since May 23rd), so why send a statement only to select news organizations? Why not publish that statement on its website, too? Were CBP executives caught unprepared and then rushed a haphazard response? When will the breach investigation report be released?

This is troubling. It suggests either arrogance or unpreparedness. As a taxpayer, my money funds CBP activities. I want to know that my money is being spent effectively.

Fourth, the lack of a detailed breach announcement means many related questions remain unanswered:

  • When will CBP notify affected persons? If the vendor will notify affected persons, then CBP must disclose the vendor's name in advance.
  • What assistance (e.g., free credit monitoring) will CBP provide affected persons?
  • What is the status of the post-breach investigation? It helps to know how attackers broke in so effective fixes can be implemented.
  • What other data elements were accessed/stolen? Metadata (e.g., image date and timestamp, border crossing GPS location, entering or exiting USA, vehicle brand and model, number and ages of any passengers in vehicles, etc.) attached to the images can be just as damaging.
  • Were any data elements encrypted? If not, why not?
  • Can facial images be matched to vehicle plate images, and/or to other data elements? If so, this creates more problems for impacted persons.
  • When will fixes be implemented so this doesn't happen again?
  • Exactly how many persons were affected, and in what states? Local states' breach notification laws may apply.
  • How many of the affected persons are U.S. citizens? If the 100,000 estimate applies to only affected U.S. citizens, then we need to know the true total number of persons impacted by the breach.
  • Does the 100,000 estimate refer to facial images only? If so, then exactly how many vehicle license plate images were disclosed?

The statement of "fewer than 100,000 persons impacted" seems vague. A breach investigation should determine two fairly precise items: the number of facial images accessed/stolen, and the number of license plate images accessed/stolen.

Plus, it seems wise to assume more data was stolen during the breach. Why? Consider this report by The Atlantic:

"I would be cautious about assuming this data breach contains only photo data," said Chad Loder, the CEO of Habitu8, a cybersecurity firm that trains other companies on security awareness. The full scope of the breach may be much larger than what CBP revealed in its original statement, he said. In recent years, CBP has asked travelers for fingerprints, facial data, and, recently, even social-media accounts. "If CBP’s contractor was targeted specifically, it’s unlikely that the attacker would have stopped with just photo data..."

If social media passwords were stolen, then affected persons need to know so they can change online passwords. And, elected officials are also asking questions. The Hill reported:

"House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) announced on Monday that his committee would hold hearings next month to examine the collection of biometric information by the Department of Homeland Security (DHS), which includes CBP... Homeland Security Committee ranking member Mike Rogers (R-Ala.), used the breach to criticize DHS’s handling of cybersecurity challenges, saying in a statement to The Hill that "the agency is ill-equipped to handle emerging cyberthreats"... Representative Cedric Richmond (D-La.), the chairman of the House Homeland Security subcommittee on cybersecurity, also called for more answers about the breach, which he said would inform Congress's next steps... Senator Brian Schatz (D-Hawaii), the ranking member of the Senate Commerce Subcommittee on Communications, Technology, Innovation and the Internet, said he thinks the breach merits an investigation by the Office of the Inspector General."

Good suggestion by Senator Schatz. Clearly, there's plenty more news to come. Plenty.


Feed You can follow this conversation by subscribing to the comment feed for this post.

Chanson de Roland

The Editor raises many good questions. However, some of them are answered by the fact that CBP is simultaneously a law enforcement, intelligence, national security, immigration, and childcare agency and that its contractors and subcontractors often implicate CBP’s roles and functions in those areas. That means that the type and extent of disclosures that we could reasonably expect expect from a private, non-governmental firm simply cannot and should not come from CBP on this matter. Whatever fuller disclosure CBP can and should make will be restrained and limited by its roles, supra, and may well require extensive vetting and high-level decision making across several government agencies. So for these reasons alone, it is unlikely that we will ever get the level of disclosure that many seek, nor should we.

Members of Congress, however, who have the appropriate security clearances and who sit on the relevant Congressional committees, using Congress in the proper sense of meaning both the Senate and the House, can, as our representatives, receive fuller disclosure on this breach and probably will. But law and rules of Congress will almost certainly prevent them from sharing those disclosures with the public.

So the public will receive the disclosures that the Secretary or Acting Secretary of the Department of Homeland Security deems appropriate.

The Editor has a second good question: Why is CBP still using a firm that it declares violated its policies and procedures for handling this type of data, which, as I note supra, has law enforcement, intelligence, and privacy implications? The short answer is probably because it has to. The contractors, who do this kind of work for the United States are often highly specialized, so that there were probably only a handful who met the security and technical requirements to even bid for the work. And the bidding process itself is a mind-numbing complexity of laws and regulations that must be complied with to be able to contract with a qualifying firm. And the contract itself is will be a very complex, legally binding document that gives rights to the contractor and the government. So CBP can’t just fire this firm because it may well be doing critical work for which there aren’t any firms that can immediately replace it; because hiring a new firm involves a complex process of rebidding pursuant to law and regs.; because just firing the firm without appropriate review could cause the United States to be in breach of contract; and because, at the end of the day, notwithstanding any breach by the firm, it may still be the best firm or even only firm for the job so that firing it would be harmful to the best interests of the United States. It may also be that case that this was an innocent error rather than misfeasance or malfeasance and also could have arisen from good faith efforts to perform the contract or comply with CBP’s request. So firing this firm may happen, but it will happen, if at all, only after a period of through review the law, culpability, and what’s in the best interests of the United States.

The Editor is also concerned that CBP didn’t disclose the data breach earlier, when it may have learned of the breach on 23 May 2019, not disclosing until quite recently. Well, a lot depends on what is meant by knowing of the breach and also on some of the considerations that I allude to, supra. If the CBP did first learn of the breach on 23 May, it at best got an initial communication from its contractor that there might have been a breach but that the contractor didn’t know the extent or nature of the breach. The contractor also probably informed CBP so that it could inform the relevant and possibly affected law enforcement and intelligence agencies. Immediately the FBI starts investigating, with the most immediate concern being that of containing and neutralizing the malware assault to prevent it from propagating to other government computers. This is now a law enforcement and counterintelligence investigation. That takes priority over everything else and governs what disclosures, if any, will be made to the public and when, if ever, those disclosures will be made. Then there is the review and investigation to determine just what is known about this breach. So CBP probably didn’t know about this data breach, in the sense of having any idea about its extent and nature, for at least a week. And it would have been Acting Secretary of Homeland Security, with consultation from the FBI Director, U.S. Attorney General, and other affected agencies and consultation from CBP’s legal department on the contract issues, who made the decision on the disclosure, which once drafted, would have been subject to review and approval by all the foregoing agencies and senior level cabinet officers and agency heads. All of that takes time. So, if it is true that CBP first learned of this data breach on 23 May, that it is just disclosing the data breach now, is pretty quick, when you consider what had to be done.


Thanks to Roland for a comprehensive and thoughtful reply. Time will tell. Meanwhile, thank God for investigative reporting. It seems that far more sensitive data was exposed/stolen. The documents stolen during the data breach:

"... revealed the inner workings of a complex surveillance network that border authorities have long sought to keep secret. CBP officials have downplayed the significance of the material taken in the hack... That assessment, however, woefully understates the number of sensitive documents that are now freely available on the Web — so much material, totaling hundreds of gigabytes, that The Washington Post required several days of computer time to capture it all."

"The documents offer an unusually intimate glimpse of the machinery that U.S. officials depend on for the constant monitoring of legal immigration through the border. They also illuminate the government’s plans for expanding its use of license plate readers and facial-recognition cameras, including such details as how many cameras are focused on which traffic lanes at some of the busiest border crossings in the world... The hoard of hacked documents includes detailed schematics, confidential agreements, equipment lists, budget spreadsheets, internal photos and hardware blueprints for security systems... Among potentially sensitive government material are internal Department of Homeland Security handbooks, border surveillance diagrams and dozens of signed nondisclosure agreements between the subcontractor and government authorities, as well as companies such as Microsoft and the defense-contracting giant Northrop Grumman..."


Geez! If the Washington Post has these sensitive documents, then other countries' intelligence agencies likely have them, too. And since some of those intelligence agencies are operated by our adversaries, then the bad guys have the documents, too.

This is #FUBAR. Somebody needs to be held accountable. Hopefully, our Congressional representatives will ask relentless, probing questions and demand full answers -- even if they can't tell the public. We taxpayers need to know this breach is being fully and competently investigated; with full and effective post-breach fixes implemented.


The comments to this entry are closed.