Inspector General's Report Confirms CBP Contractor Was Hacked, Resulting In Sensitive Info Making Its Way To The Dark Web
from the collect-it-all,-protect-it-barely dept
Last year, a CBP vendor suffered a data breach affecting more than 100,000 people who had crossed the border at checkpoints. The CBP refused to name the contractor involved in the breach, but internal documents indicated it was Perceptics. Perceptics provided and maintained the system that photographed cars and their occupants as they crossed the border.
The vendor's involvement in the breach has now been publicly confirmed, thanks to an Inspector General's investigation of the incident. Sensitive information that was never supposed to be located on Perceptics' servers was obtained by hackers and (partially) distributed on the dark web. [h/t Motherboard]
The report [PDF] lists the extent of the damage, which was fairly minimal given what was involved.
The subcontractor’s network was later the subject of a malicious cyber attack that compromised approximately 184,000 traveler images from CBP’s facial recognition pilot. After removing duplicate images, CBP reduced its estimate to 100,000 individual images, of which they discovered 19 were posted to the Dark Web.
From which the IG draws this inevitable conclusion:
This incident may ultimately result in damage to the public’s trust in Government biometric programs.
Yes, whatever trust there is that hasn't been damaged yet, I guess.
Perceptics was authorized to be on-site to perform maintenance work. It was never authorized to transfer any photos to its own servers. But it did. And it did this in the worst way possible.
According to documentation from Unisys and CBP, Perceptics subsequently admitted to Unisys that it had downloaded approximately 184,000 traveler images from the equipment in conjunction with the work order tickets. Perceptics personnel accomplished this using an unencrypted USB hard drive that was eventually transported back to their corporate office in Knoxville, Tennessee. From there, subcontractor personnel uploaded CBP’s images to a Perceptics server.
This unauthorized data exfiltration led directly to another unauthorized data exfiltration.
Perceptics’ corporate network was subjected to a ransomware attack at some point prior to May 13, 2019. The attack compromised thousands of driver and passenger images that CBP captured during the VFS pilot. CBP determined that more than 184,000 traveler facial image files, as well as 105,000 license plate images from prior pilot work, were stored on the subcontractor’s network at the time of the ransomware attack. In addition, the hacker stole an array of contractual documents, program management documents, emails, system configurations, schematics, and implementation documentation related to CBP license plate reader programs.
Perceptics refused to pay the ransom and the hacker (d/b/a "Boris Bullet Dodger") released "9,000 unique files" on the dark web.
The Inspector General says Perceptics should never have taken files offsite. But it's not the only party to blame. CBP should have made this far more difficult to achieve.
Perceptics was able to make unauthorized use of CBP’s biometric data, in part because CBP did not implement all available IT security controls, including an acknowledged best practice. Additional IT security controls in place during the pilot could have prevented Perceptics from violating contract clauses and using an unencrypted hard drive to access and download biometric images at the pilot site.
The rest of the report is the CBP promising to secure barn doors as per the IG's recommendations. Certainly this will have some effect going forward. But the fact remains the CBP collects a lot of personal information that can be tied to border crossers' vehicles. All of this in one place continues to make the CBP -- and most government agencies -- tempting targets for malicious hackers.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: border crossing, cbp, dark web, facial recognition, hacked, inspector general, leaked, security
Companies: perceptics, unisys
Reader Comments
Subscribe: RSS
View by: Time | Thread
Gee its almost like they think you can just hand out credit monitoring and that makes everything better.
Meanwhile all the O2 is being sucked out of the room by ZOMG 230 screaming while after to many hacks to count, to many contractors violating the law, they still haven't demanded tighter security with actual punishments & protections. But if we pay a few billion more for shitty planes we won't ever actually use we'll be safe again.
Something something Trump of all people should know how easy it is to leverage people when they have nothing & someone has dirt on them.
[ link to this | view in chronology ]
DOJ rightly focused on important things
So glad the DOJ is focused on what is truly important, encryption.
[ link to this | view in chronology ]
Low-Hanging Fruit
CPB Fails
Perceptics Fails
All a hacker needs is the understanding that in many circumstances these are usual levels of laziness, incompetence, and dishonesty. Pick a third-rate government agency with no specialization in IT security and hack their brand-X, private sector consultants...harvest time!
[ link to this | view in chronology ]
Re: Low-Hanging Fruit
Even lower:
Don't be doing this recording and storing of everything in the first place.
Stop contracting out anything, really.
[ link to this | view in chronology ]
And here I was worried for a second...
And of course this is the same government that is trying to undermine security for everyone by mandating broken encryption because they're too lazy and/or corrupt to do their damn jobs.
[ link to this | view in chronology ]
Interesting language
Perceptics "violat[ed] contract clauses"
The hacker "stole"
of course in reality they both did the same thing - copied data that they weren't allowed to.
[ link to this | view in chronology ]
Re: Interesting language
Exactly this. CBP is pretty much doing it also when creating and storing data from meatspace.
[ link to this | view in chronology ]