Cyber-Attack on US Customs and Border Protection

BACKGROUND

The US government maintains vast databases of travelers’ personal information, including passport and visa photos, and airlines have also increasingly used facial recognition technology, sharing biometric data with federal agencies that store the sensitive information. The customs and border agency is part of the Homeland Security Department, which has primary responsibility for cybersecurity inside the United States.

ANALYSIS

A US Customs and Border Protection (CBP) data breach has exposed travelers’ photos and license plate information, renewing concerns about expanded facial recognition and federal surveillance systems.

The CBP’s own networks were not breached and instead one of its subcontractors had quietly copied the data to its own servers without CBP’s knowledge and against CBP policy. It was that subcontractor’s networks that were subsequently compromised, resulting in the exposure of the data. CBP said, “​none of the image data has been identified on the dark web or internet​”. “​This breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travellers, including license plate information and social media identifiers,”​ Neema Singh Guliani, American Civil Liberties Union senior legislative counsel, said in a statement.

“​This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices.​” The best way to avoid these kinds of breaches, Guliani added, “​is not to collect and retain such data in the first place.​'' CBP has reached out to members of Congress, other law enforcement agencies, and cybersecurity entities as part of its investigation of the incident. The CBP’s Office of Professional Responsibility is also involved in the investigation.

"​Government use of biometric and personal identifiable information can be valuable tools only if utilized properly. Unfortunately, this is the second major privacy breach at the Department of Homeland Security this year. We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public. I intend to hold hearings next month on Homeland Security’s use of biometric information,​” Bennie G. Thompson, Chairman of the Committee on Homeland Security, said in a statement.

In May, San Francisco lawmakers voted to make the city the first in the US to ban police and other government agencies from using facial recognition technology. The state of California and other municipalities across the country are now considering similar proposals.

ASSESSMENT

Our assessment is that traveller photos like fingerprints fall under the umbrella of biometric data, are extremely valuable to hackers, especially as the use of facial recognition technology becomes more widespread. Hackers can create profiles of people using biometric data and combine them with other information such as financial or personal records obtained in other breaches. The more information they have, the more valuable their profile of a person becomes.

It can be noted that the effort to set up alarm systems which would provide early warning when large amounts of data are removed, has been hampered by a shortage of funds, focus and expertise.

We feel that breaches of government contractors have been a persistent security issue. It can be noted that this was how the United States lost many of the designs for the F-35, the most expensive fighter jet in history. Also, the first breach of data from the Office of Personnel Management started with a contractor doing interviews for security clearances.

Companies outsource an increasing percentage of their business operations, from payroll and HR systems to their customer management and helpdesk systems to their software development and data management. While much of this outsourcing is to established Internet companies that actually offer greater cybersecurity than the company’s own networks, there are myriad small vendors that even large companies rely upon for speciality services, which can pose a particularly dangerous insider threat. We feel that companies can mitigate these risks by choosing vendors with a particular focus on cyber defence, conducting rigorous audits of their integration points and deployment of network monitoring and data loss prevention technologies to flag unusual accesses and activity.