The US Customs and Border Protection (CBP) has confirmed that a data breach has updated the personal information of travelers entering and leaving the United States. The data would include photos and travel documents, but the real problem is that the data was not stored on a CBP network. The agency points to an anonymous vendor who has copied CBP data to his network where he was later stolen.
According to CBP, he was informed of the breach at the end of May. The agency, charged with ensuring border and customs security, said his network was not the target of the attack. The unnamed contractor would have transferred the data to its own network, in violation of CBP rules. Although someone at CBP has granted the company sufficient access to allow it to exfiltrate an unknown amount of sensitive data. CBP's hands are not clean in this respect. Civil liberties groups blame CBP for the collection and retention of data.
It is difficult to know exactly what has been disclosed and how many travelers are affected because of the nature of the violation. Until now, CBP has only indicated that it includes photos, passport / visa images and license plate images. This could be millions of people, including US citizens and foreign nationals. On the other hand, the subcontractor may have copied only a small amount of data without authorization.
CBP has not yet named the subcontractor, but the document describing the attack bears the name "Perceptics" in the title. This company claims to supply all license plate readers used at US borders. The photos in question are most likely those taken by border patrols when checking documents. Other reports indicate that airport operations have not been affected, suggesting that the data is limited to level crossings. Recent media reports have claimed that data stolen from Perceptics is available at various places on the dark Web. We do not know yet if these events are related, but it seems to be a safe bet.
Border Patrols have been working on a facial recognition system that has been strongly criticized for its accuracy and usefulness, but there is no evidence that Perceptics has any connection to this system. However, if you want to create a facial recognition database, a photo cache associated with government-issued IDs, such as a passport, would be a perfect set of data.
Top Photo Credit: US Customs and Border Patrol