The images, collected over one and a half months,
were taken as the travelers crossed an unspecified border point
The United States’ Customs and Border Protection
(CBP) has announced that a security incident at one of its subcontractors has
compromised the photos of thousands of travelers entering and departing the
country.
In addition to the photos of the people’s faces,
the stolen data also include images showing the license plates of the cars they
used for entering and exiting the US. The data had been collected by CBP over a
period of one and a half months as the travelers crossed an unspecified border
point, according to The Washington Post, which broke the news.
In a full statement, shared by BuzzFeedNews, the agency said that the breached subcontractor
had violated mandatory security protocols and acted without CBP’s knowledge or
authorization when transferring the data to its own systems.
The attack against the subcontractor’s network came
to CBP’s knowledge on May 31st. Fewer than 100,000 people were affected and the
data, stolen by parties unknown, had not surfaced on the internet or dark web,
said the agency. No additional information or other photos, including from
passports or other documents, were impacted, but details about the incident are
generally rather scarce.
In fact, the agency never named the source of the
breach, but reports imply that its name appears to have come to light
regardless – if only due to an apparent mistake. The Washington Post said that
the statement that CBP shared with its reporters in regard to the incident
contained “Perceptics” in the title, although CBP declined to confirm later
whether or not the breach had stemmed from the company of this name.
A provider of license plate readers for CBP,
Perceptics appears to have been implicated in a recent data dump in which,
according to The Register, somebody offered files reportedly exfiltrated
from Perceptics for free on the dark web.
Meanwhile, the incident disclosed by CBP comes as
the agency continues to push for facial recognition software at airports and land crossings
alike. The agency aims to scale up its “biometric entry-exit system” so that
facial recognition systems are used on 97 percent of all outbound air
passengers by
2021.
Facial recognition also came into the spotlight
three weeks ago, when the City of San Francisco banned the use of this technology
by city agencies. ESET’s Global Security Evangelist Tony Anscombe weighed in on
the decision, as well as on some of the broader implications of the technology,
in this article.