The unauthorized copying of a database containing identification images and license plate images of American citizens by the subcontractor onto its own server and the subsequent hacking of that server was only announced by the CBP on Monday, well over a week after the law enforcement agency was notified of the data breach.
The images, which were compiled on a government database for use in airport facial recognition software, were obtained by hackers on May 31. The agency revealed it has since alerted members of the US Congress and also claimed the photos obtained have not yet appeared on the Dark Web.
"In violation of CBP policies and without CBP's authorization or knowledge, [a subcontractor] transferred copies of license plate images and traveler images collected by CBP to the subcontractor's company network," CBP announced. "The subcontractor's network was subsequently compromised by a malicious cyberattack."
The statement highlights that “no CBP systems were compromised,” meaning it was only the subcontractor whose security was breached.
“Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract,” further notes CBP.
In May, a similar cyberattack was carried out against US-based Perceptics, a company that offered license-plate recognition software to government agencies such as the US Immigration and Customs Enforcement (ICE). The data breach resulted in the loss of hundreds of gigabytes of data that was later published online by the hacker.
The subcontractor’s name has yet to be released, but rather than announcing their departure from the anonymous company who violated their contract, CBP said it would be “closely monitoring all CBP work by the subcontractor.”
"This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency's data practices,” American Civil Liberties Union senior legislative counsel Neema Singh Guliani told CNet Monday, adding that “the best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place."
Just last week, members of Congress grew skeptical of the FBI’s ability to implement “adequate privacy and accuracy guardrails” for US citizens after Government Accountability Office (GAO) representative Gretta Goodwin revealed the bureau’s available database contained some “640 million photos” of Americans nationwide.
As a result, Republican Reps. Jim Jordan and Mark Meadows openly expressed their concerns about the push for facial recognition software, with Meadows suggesting a pause on the tech’s implementation “until we make sure that isn’t not violating our Fourth Amendment rights and civil liberties.”
CBP’s statement’s conclusion claims all equipment related to breach has been “removed from service.” The agency also claimed an investigation has been launched with the help of additional law enforcement, cybersecurity experts and CBP’s own Office of Professional Responsibility.