The US Customs and Border Protection agency (CBP) recently announced that a data breach suffered by a sub-contractor compromised photos and licence plates of nearly 100,000 people who had crossed a land border entry port within a 45-day period.
The border agency said that it learned about the breach on May 31 and established that photographs and licence plates lost to hackers belonged to "fewer than 100,000 people" who entered and exited the country through a single land border entry port within the period of over a month and a half.
Even though the border agency stated with confidence that none of the compromised images of people's faces or licence plates were found on the Dark Web or the Internet and also refused to name the sub-contractor that suffered the breach, The Washington Post learned from an unnamed official that the sub-contractor was Perceptics and the photos belonged to people who entered and exited through a US-Canadian border post.
The Post also noted that the Microsoft Word document of the border agency's public statement was titled "CBP Perceptics Public Statement" and it also referred to a report from The Register that revealed that "a large haul of breached data from the firm Perceptics was being offered as a free download on the dark web".
The official who spoke to The Washington Post said that the breach was being treated within the border agency as "a major incident" and that Perceptics "was attempting to use the data to refine its algorithms to match license plates with the faces of a car’s occupants".
Border agency breach occurred due to violation of security protocols by the subcontractor
"CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network," the border agency said in a statement.
"Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract. No passport or other travel document photographs were compromised and no images of airline passengers from the air entry/exit process were involved," it added.
Commenting on the compromise of photos and licence plate numbers of nearly 100,000 people, Sherrod DeGrippo, Senior Director of Threat Research and Detection at Proofpoint, said that it is critical that organisations prioritize the security and access controls of their vendors, providers, and partners as these groups regularly handle sensitive data and have the same culpability as the organisation itself.
"We recommend that organisations review subcontractors and other providers’ data security posture as if it were their own. Additionally, organisations can develop threat profiles that highlight areas of risk across verticals and implement a proactive people-centric security approach that mitigates each threat appropriately," she added.
Following the news of the data breach, Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union, told The Washington Post that the incident underscored the need to "put the brakes" on the border agency's efforts to expand its massive face recognition apparatus and collection of sensitive information from travellers. "The best way to avoid breaches of sensitive personal data is not to collect and retain it in the first place," she said.
Commenting on such statements, John Gunn, CMO of OneSpan said that biometric technology is not a panacea or a Big Brother conspiracy but a developing technology that is imperfect and has weaknesses and vulnerabilities like every technological advance in our history, but the net sum gain of its use is indisputably positive.
"Opponents argue that any potential misuse or compromise should disqualify the use of biometrics, but using this flawed logic would mean that all law enforcement officers’ should be stripped of their firearms because they are sometimes taken or misused by criminals. Like any tool used against criminal activities, biometric technology must be applied intelligently and with proper safeguards," he said.
ALSO READ: Businesses must make biometrics part of their cyber security DNA