Traveler Photos Stolen by Hackers in US Customs and Border Protection Data Breach
U.S. Customs and Border Protection (CBP) announced yesterday that hackers stole traveler’s photos used when crossing US land borders from a contractor. The images included photographs of people’s faces. In addition to the personal photographs, vehicle license plate images are also part of the hacked data. U.S. Customs and Border Protection says photos of travelers were stolen when a federal contractor suffered a data breach. CBP did not name the contractor involved in the data breach. However, in the statement issued to news agencies, the subject line read “CBP Perceptics Public Statement.”
What Is Perceptics?
Perceptics, a government contractor purported to be the sole provider of license plate reader technology at U.S. land borders, was hacked. Traveler’s location, license plate images, business documents, and other photos were found on the dark web for anyone to download. Perceptics sells license plate readers, license plate recognition systems, and vehicle identification products to local state, and federal government agencies as well as foreign governments. Its technology is used to monitor privately owned vehicles as they cross into and out of the United States. The company’s technology is installed at all land border crossing lanes between the United States and Canada. It also has license plate readers at border crossings between the United States and Mexico at 43 U.S. Border Patrol checkpoints in California, New Mexico, Arizona, and Texas. Hacked traveler data includes license plate numbers, images, and locations was found on the dark web.
The CBP announcement stated, “Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract.” A US official speaking anonymously said that Perceptics was trying to use the photos to refine its algorithms. The goal is to match license plates with the car’s occupants. The data involved travelers crossing the Canadian border. This is not within CBP’s contractual use.
The traveler’s photos were downloaded to a subcontractor’s company network and later hacked in a cyber attack. CBP learned of the breach on May 31. No passport or other travel document photos were compromised. No CBP systems were compromised. The photographs are images taken of people in their vehicles as they entered and exited the United States over land borders and bridges. The number of photographs hacked is believed to be more limited than the rest of the hacked data. This is the second data privacy breach for the federal government this year. In March, the Federal Emergency Management Agency transferred addresses and banking information of over two million U.S. disaster victims with a contractor.
Sen. Ron Wyden (D-Ore.) called for U.S. Customs and Border Protection to notify anyone who was affected by the data breach.
What is Facial Recognition?
Facial recognition is a form of biometrics. Human facial features, like bone structure, are analyzed to real-time scanned image to databases of known persons. Other forms of biometric surveillance include fingerprinting and iris scans. Since it is not practical to surveil large crowd with either, facial recognition is commonly used by governments to identify people quickly.
Facial Recognition Privacy Concerns
Amazon stockholders recently voted to move forward with selling their facial recognition technology, called Amazon Rekognition, to law enforcement and governmental agencies. Both Google and Microsoft have declined to work with facial recognition technology for certain government agencies. Microsoft is in favor of increased government regulation of facial recognition use citing a potential for abuse.
CBP uses cameras and video recordings at airports and land border crossings to capture images of people and vehicles to track people entering and exiting the United States. The Government Accountability Office told the House Committee on Oversight and Reform at a hearing last week that the Federal Bureau of Investigations (FBI) has a database of over 640 million photos from passports and driver’s licenses that it uses for criminal investigations.
CBP has been expanding its use of facial recognition technology and tracking the behaviors of people exiting and entering the United States. Recently it was announced that people requesting a Visa for the United States would have to surrender their social media accounts, previous addresses, and phone number on their Visa applications.
The first facial recognition airport terminal was opened at Hartsfield-Jackson Atlanta International Airport in Atlanta in 2018. International passengers departing from a special Delta airlines terminal could use facial recognition for all security checkpoints after initial check-in was complete. The airport terminal is the first fully biometric airport terminal to operate in the United States. Delta airlines was hit by a data breach in March 2018. In this data privacy breach, a third-party vendor that provides customer service chats was hacked. Credit cards of Delta Airlines customers were stolen. No passport, government IDs, or Delta SkyMiles information was hacked.
The Department of Homeland Security intends to use facial recognition to identify 97% of departing commercial air passengers by 2020. There are no laws preventing it from doing so.
Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers
