The U.S. Customs and Border Protection agency failed to enforce basic security practices at a contractor that was hacked last year, exposing some 100,000 individual photos of travelers, a new inspector general report has found.
Some of the hacked images ended up on the dark web, but the entire episode “may damage the public’s trust in the government’s ability to safeguard biometric data,” the Department of Homeland Security’s inspector general concluded in a report released Wednesday.
It’s an example of how, as federal immigration and security agencies increasingly draw on biometric data for their work, the stakes for protecting that data from hackers have grown.
The data collection was for a CBP pilot to use facial recognition to screen travelers at ports of entry. The project went awry when surveillance technology company Perceptics, a subcontractor, downloaded sensitive CBP data from an unencrypted device and transferred it to the company’s network, according to the inspector general probe. That violated DHS security requirements, but responsibility also lies with CBP, the watchdog said.
“Additional IT security controls in place during the pilot could have prevented Perceptics from violating contract clauses and using an unencrypted hard drive to access and download biometric images at the pilot site,” the report states.
With those security weaknesses in place, a ransomware attack struck Perceptics sometime in the spring of 2019. The attackers had access to the Perceptics networks that not only stored the photos from the pilot, but also 105,000 license plate images from another project, the inspector general said.
CBP officials disagreed with the report’s conclusion that the agency failed to protect data, citing security requirements CBP spells out for contractors. “CBP had no reason to believe that Perceptics would remove the data in violation of the terms of their contract,” officials said in response to a draft of the IG report.
Perceptics never paid the ransom, according to the report. After CBP initially said that no images had ended up on the dark web, Vice’s Motherboard found and downloaded thousands of images believed to be associated with the breach. Many of those photos were unrelated to the pilot.
The inspector general also faulted Perceptics and Unisys, another contractor that hired Perceptics for the project, for failing to immediately report the breach, which CBP learned about from the news media.
Perceptics did not respond to a request for comment on Wednesday. Unisys declined to comment.
After the breach, CBP suspended its work with Perceptics, and currently does not contract with the firm, according to the IG.
The report makes several security recommendations, including security checks on external devices and penetration testing, some of which CBP said it was already carrying out.
“It is vital that CBP protect against unauthorized access to data from cameras and related equipment used for biometric confirmation, especially when entrusting third parties to manage its [sensitive personally identifiable information],” the IG report concludes. “These measures are particularly important as CBP is increasing its biometric data collection efforts at more and more ports of entry.”