Photos of travelers taken in data breach, Customs and Border Protection says | TribLIVE.com
U.S./World

Photos of travelers taken in data breach, Customs and Border Protection says

The Washington Post
1276199_web1_breach-2ndld-writethru-29ed7b10-8bd2-11e9-b08e-cfd89bd36d4e
Sarah L. Voisin | The Washington Post
Pedestrians and cars head into the United States from Ciudad Juarez, Chihuahua, Mexico, via the Paso del Norte International Bridge in January.

WASHINGTON — U.S. Customs and Border Protection officials said Monday that photos of travelers had been compromised as part of a “malicious cyberattack,” raising concerns over how federal officials’ expanding surveillance efforts could imperil Americans’ privacy.

Customs officials said in a statement Monday that the images, which included photos of people’s faces and license plates, had been compromised as part of an attack on a federal subcontractor.

The CBP makes extensive use of cameras and video recordings at airports and land border crossings, where images of vehicles are captured. Those images are used as part of a growing agency facial-recognition program designed to track the identity of people entering and exiting the United States.

The CBP says airport operations were not affected by the breach, but it declined to say how many people might have had their images stolen. The agency processes more than a million passengers and pedestrians crossing the U.S. border on an average day, including more than 690,000 incoming land travelers.

A CBP statement said that the agency learned of the breach on May 31 and that none of the image data had been identified “on the Dark Web or Internet.” But reporters at The Register, a British technology news site, reported late last month that a large haul of breached data from the firm Perceptics was being offered as a free download on the dark web.

The CBP would not say which subcontractor was involved. But a Microsoft Word document of the agency’s public statement, sent Monday to Washington Post reporters, included the name “Perceptics” in the title: “CBP Perceptics Public Statement.”

Perceptics representatives did not immediately respond to requests for comment.

CBP spokeswoman Jackie Wren said she was “unable to confirm” whether Perceptics was the source of the breach.

The breach raised alarms in Congress, where lawmakers have questioned whether the government’s expanded surveillance measures could threaten constitutional rights and expose millions of innocent people to identity theft.

“If the government collects sensitive information about Americans, it is responsible for protecting it — and that’s just as true if it contracts with a private company,” Sen. Ron Wyden, D-Ore., said in a statement to The Post. “Anyone whose information was compromised should be notified by Customs, and the government needs to explain exactly how it intends to prevent this kind of breach from happening in the future.”

Wyden said the theft of the data should alarm anyone who has advocated for expanded surveillance powers for the government. “These vast troves of Americans’ personal information are a ripe target for attackers,” he said.

Civil-rights and privacy advocates also called the theft of the information a sign that the government’s growing database of identifying imagery had become an alluring target for hackers and cybercriminals.

“This breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travelers, including license plate information and social media identifiers,” said Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union. “This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices. The best way to avoid breaches of sensitive personal data is not to collect and retain it in the first place.”

The CBP said copies of “license plate images and traveler images collected by CBP” had been transferred to the subcontractor’s company network, violating the agency’s security and privacy rules. The subcontractor’s network was then attacked and breached. No CBP systems were compromised, the agency said.

It’s unclear whether passport or facial-recognition photos were included in the breach.

Perceptics and other companies offer automated license-plate-reading devices that federal officials can use to track a vehicle, or its owner, as it travels on public roads.

Immigration agents have used such databases to track down people who may be in the country illegally. Police agencies have also used the data to look for potential criminal suspects.

Perceptics, based in Farragut, Tennessee, has championed its technology as a key part of keeping borders secure. “You want technology that generates data you can trust and delivers it when and where you need it most,” a marketing website says.

The company also said recently that it had installed license-plate readers at 43 U.S. Border Patrol checkpoint lanes across Arizona, California, New Mexico and Texas, saying they offered border guards “superior images with the highest license plate read rate accuracy in North America.”

The federal government, as well as the group of private contractors it works with, has access to a swelling database of people’s cars and faces, which it says is necessary to enhance security and enforce border laws.

The FBI has access to more than 640 million photos, including from passports and driver licenses, that it can scan with facial-recognition systems while conducting criminal investigations, a representative for the Government Accountability Office told the House Committee on Oversight and Reform at a hearing last week.

Rep. Bennie Thompson, D-Miss., chairman of the House Homeland Security Committee, said he intended to hold hearings next month on the Homeland Security Department’s use of biometric information.

“Government use of biometric and personal identifiable information can be valuable tools only if utilized properly. Unfortunately, this is the second major privacy breach at DHS this year,” Thompson said in a statement to The Post. “We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public.”

Categories: News | Top Stories | World
TribLIVE commenting policy

You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.