Securing The Nation With Insecure Databases: CBP Vendor Hacked, Exposing Thousands Of License Plate, Car Passenger Photos
from the guess-you-have-to-give-up-some-security-to-gain-some-security? dept
US Customs and Border Protection has suffered an inevitability in the data collection business. The breach was first reported by the Washington Post. It first appeared to affect the DHS's airport facial recognition system, but further details revealed it was actually a border crossing database that was compromised.
The breach involved photos of travelers and their vehicles, which shows the CPB is linking people to vehicles with this database, most likely to make it easier to tie the two together with the billions of records ICE has access to through Vigilant's ALPR database.
The breach involved a contractor not following the rules of its agreement with the CBP. According to the vendor agreement, all harvested data was supposed to remain on the government's servers. This breach targeted the vendor, which means the contractor had exfiltrated photos and plate images it was specifically forbidden from moving to its own servers.
According to reports from other news agencies, the breach likely involve Perceptics, a Tennessee-based manufacturer of stationary license plate readers. The Register first reported a breach there on May 23, after being contacted by a hacker possibly involved with the attack on the company's servers. The CBP claims it was not aware of this breach until May 31. But this piece of info from the Register's article seems to indicate Perceptics may be the vendor the agency has refused to name.
Perceptics recently announced, in a pact with Unisys Federal Systems, it had landed "a key contract by US Customs and Border Protection to replace existing LPR technology, and to install Perceptics next generation License Plate Readers (LPRs) at 43 US Border Patrol check point lanes in Texas, New Mexico, Arizona, and California."
This is all but confirmed in the Washington Post's report, which contains another link to Perceptics the CBP has refused to officially confirm.
CBP would not say which subcontractor was involved. But a Microsoft Word document of CBP’s public statement, sent Monday to Washington Post reporters, included the name “Perceptics” in the title: “CBP Perceptics Public Statement.”
No personal info was included in the breach, which the CBP said affected about 100,000 travelers entering and exiting the US through a single point of entry. It also claims it hasn't seen any of the data surface on the light or dark web, so there's that, if that statement is actually true.
This news has prompted many reactions, including some very obvious ones: first and foremost, the easiest way to minimize the damage of inevitable data breaches is to not harvest so much damn data. Unfortunately, the DHS's plans only involve expansion of its existing collection programs, including a larger rollout of its airport biometric scanning and its new mandatory collection of social media info from incoming foreigners.
It's pretty tough to secure a nation when you can't secure a database. This breach may have been the result of a vendor breaking the rules, but the Office of Personnel Management breach proves the US government isn't immune from these attacks. The more you gather and store in one place, the more often you'll be targeted by enemies foreign and domestic.
Finally, the incident has angered a handful of Congressional reps.
House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) announced on Monday that his committee would hold hearings next month to examine the collection of biometric information by the Department of Homeland Security (DHS), which includes CBP.
Thompson also noted that he wants to ensure “we are not expanding the use of biometrics at the expense of the privacy of the American public.”
Homeland Security Committee ranking member Mike Rogers (R-Ala.), used the breach to criticize DHS’s handling of cybersecurity challenges, saying in a statement to The Hill that “the agency is ill-equipped to handle emerging cyberthreats.”
“The data breach resulted from a contractor acting improperly and against agency policy,” Rogers said. “We need to take steps to ensure this does not happen again.”
Ensuring contractors follow the rules isn't really a solution. It may reduce the number of attack vectors, but it doesn't address the underlying issue: we're collecting more data on people than ever before and breaches are not a matter of "if," but "when." Until Congress gets serious about scaling back these massive collections, these will remain popular targets with the potential to cause a tremendous amount of harm to the millions of people who pass through our borders and airports.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: alpr, cbp, hacked, license plates, photos, privacy
Companies: perceptics
Reader Comments
Subscribe: RSS
View by: Time | Thread
The punishment for violating the rules about not taking a copy of the data, which is what got taken was... their contract continues.
If they were willing to violate the rules of the people employing them & fail in such a large way... why haven't we fined them and moved on? There have to be other companies out there who might not decide to just take a copy of the folder marked do not copy and hand it out to the first cute hacker that comes along.
While we know about a photo database, which seems weird to have no other info indexed with it... what other contracts do they have, what other data haven't they admitted they lost yet? Sure hope they didn't have the login and password to the CBP database saved in notepad.
[ link to this | view in chronology ]
Re: saved in notepad
That's what Post-Its and sticky tape are for.
[ link to this | view in chronology ]
1st, 4th and 5th Amendment Audits at Border checks
There are many videos on Youtube, made by people exercising their right to silence, or 1st Amendment rights, or whichever challenge to guvmint overreach happens to be flavour of the month.
29 Miles inside the US Border https://www.youtube.com/watch?v=ZSkGOfvLHUY
While these are often frustrating and sometimes entertaining, I've yet to see the coal-rollers enter one of these checkpoints, either singularly or in convoy.
That would make for some interesting video.
[ link to this | view in chronology ]
re: CJIS /CHRI Database
It would be interesting to pull a few FOIAs and probe the Pasadena 3M Cogent identity management database, because it had a few in-house-out-to -vendor Level 3 breaches in the runup to the 2016 election.
Oh, wait! Its now Gemaltos database after 3M used it as a political cat box....you remember Gemalto, dont you? Yeah, the NSA hacked all its phone chips....
Oh, wait! Gemalto sold the company quicker than you can say hot potat.....
[ link to this | view in chronology ]
OK: now I'm mildly confused. The first wave of reports that came out were reporting that the breach involved 100,000 records on an unnamed Mexico border crossing.
The next wave stated that no, it was a Canadian border crossing, but the number stayed the same.
Now it looks like the guess on Mexico border crossing came from the Register article on Perceptics, assuming that it was these Next Gen readers that had data leaked.
So where did the Canadian bit come from? Are we talking one breach here, or two?
And as I've said elsewhere: the hacking of the contractor is NOT the breach that should be being published by CBP. That should be published by the contractor.
What should be published by CBP is that THEIR data policy was breached, with a contractor stealing information off of their servers against policy. And THAT should have been flagged up as soon as it happened. Data security isn't done by "binding contracts" -- it's done by programmatically making it difficult to move the data in the first place. The contracts are just to enforce this and make people think twice about putting in EXTRA effort to move data around the safeguards already in place.
[ link to this | view in chronology ]
Re:
... and this leads me to believe that CBP does not have actual security in place across their entire network, but is depending on agreements with third parties who handle the data to safeguard the privacy of everyone who crosses the border.
[ link to this | view in chronology ]
Re: Canadian border crossing
The first wave of reports that came out were reporting that the breach involved 100,000 records on an unnamed Mexico border crossing.
The next wave stated that no, it was a Canadian border crossing,
Canadians is what we call Mexicans from the North.
[ link to this | view in chronology ]
so... a breach of a breach. keep innovating, America.
[ link to this | view in chronology ]
So..
A contractor..
Which is Probably part of the system, installed, got or was infected..
And his system entered into the data base, that SHOULD have been restricted(passworded), insted oa Sample set.. and the Contractor or the BOT/VIRUS inside his PORTABLE laptop or remote computer, THAT WASNT USED ONLY for this type of job(thats how infections happen) Picked up all this data...2-3-10-100 gigs of video data..
No one
checked his system.(not hard, just check the HD for the space available when he came and went)
monitored his access..
DOCUMENTED that this file/directory as accessed..because it wasnt passworded/restricted/a warning bell wasnt setup to tell a SYSOP that this PRIVATe file had been accessed and COPIED..
EVEN scanned his SYSTEM before he even attached to the system. Which can be done by the system when a person connects..
[ link to this | view in chronology ]
Too bad they didn't have some sort of way of protecting the data from unauthorized access.
Oh wait, that's what encryption is for. So can someone explain why the tech sector should nerd harder when the government doesn't even try to nerd?
[ link to this | view in chronology ]
Re:
Because the Gov. got rid of all the smart persons that were telling them What was/will be/and SHOULD be...
The oldest computer in the gov. belongs to the IRS from the late 60's and is still being used... YOUR computer is better then that machine.
[ link to this | view in chronology ]