Securing The Nation With Insecure Databases: CBP Vendor Hacked, Exposing Thousands Of License Plate, Car Passenger Photos

from the guess-you-have-to-give-up-some-security-to-gain-some-security? dept

US Customs and Border Protection has suffered an inevitability in the data collection business. The breach was first reported by the Washington Post. It first appeared to affect the DHS’s airport facial recognition system, but further details revealed it was actually a border crossing database that was compromised.

The breach involved photos of travelers and their vehicles, which shows the CPB is linking people to vehicles with this database, most likely to make it easier to tie the two together with the billions of records ICE has access to through Vigilant’s ALPR database.

The breach involved a contractor not following the rules of its agreement with the CBP. According to the vendor agreement, all harvested data was supposed to remain on the government’s servers. This breach targeted the vendor, which means the contractor had exfiltrated photos and plate images it was specifically forbidden from moving to its own servers.

According to reports from other news agencies, the breach likely involve Perceptics, a Tennessee-based manufacturer of stationary license plate readers. The Register first reported a breach there on May 23, after being contacted by a hacker possibly involved with the attack on the company’s servers. The CBP claims it was not aware of this breach until May 31. But this piece of info from the Register’s article seems to indicate Perceptics may be the vendor the agency has refused to name.

Perceptics recently announced, in a pact with Unisys Federal Systems, it had landed “a key contract by US Customs and Border Protection to replace existing LPR technology, and to install Perceptics next generation License Plate Readers (LPRs) at 43 US Border Patrol check point lanes in Texas, New Mexico, Arizona, and California.”

This is all but confirmed in the Washington Post’s report, which contains another link to Perceptics the CBP has refused to officially confirm.

CBP would not say which subcontractor was involved. But a Microsoft Word document of CBP’s public statement, sent Monday to Washington Post reporters, included the name “Perceptics” in the title: “CBP Perceptics Public Statement.”

No personal info was included in the breach, which the CBP said affected about 100,000 travelers entering and exiting the US through a single point of entry. It also claims it hasn’t seen any of the data surface on the light or dark web, so there’s that, if that statement is actually true.

This news has prompted many reactions, including some very obvious ones: first and foremost, the easiest way to minimize the damage of inevitable data breaches is to not harvest so much damn data. Unfortunately, the DHS’s plans only involve expansion of its existing collection programs, including a larger rollout of its airport biometric scanning and its new mandatory collection of social media info from incoming foreigners.

It’s pretty tough to secure a nation when you can’t secure a database. This breach may have been the result of a vendor breaking the rules, but the Office of Personnel Management breach proves the US government isn’t immune from these attacks. The more you gather and store in one place, the more often you’ll be targeted by enemies foreign and domestic.

Finally, the incident has angered a handful of Congressional reps.

House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) announced on Monday that his committee would hold hearings next month to examine the collection of biometric information by the Department of Homeland Security (DHS), which includes CBP.

Thompson also noted that he wants to ensure “we are not expanding the use of biometrics at the expense of the privacy of the American public.”

Homeland Security Committee ranking member Mike Rogers (R-Ala.), used the breach to criticize DHS’s handling of cybersecurity challenges, saying in a statement to The Hill that “the agency is ill-equipped to handle emerging cyberthreats.”

“The data breach resulted from a contractor acting improperly and against agency policy,” Rogers said. “We need to take steps to ensure this does not happen again.”

Ensuring contractors follow the rules isn’t really a solution. It may reduce the number of attack vectors, but it doesn’t address the underlying issue: we’re collecting more data on people than ever before and breaches are not a matter of “if,” but “when.” Until Congress gets serious about scaling back these massive collections, these will remain popular targets with the potential to cause a tremendous amount of harm to the millions of people who pass through our borders and airports.

Filed Under: , , , , ,
Companies: perceptics

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Securing The Nation With Insecure Databases: CBP Vendor Hacked, Exposing Thousands Of License Plate, Car Passenger Photos”

Subscribe: RSS Leave a comment
That Anonymous Coward (profile) says:

The punishment for violating the rules about not taking a copy of the data, which is what got taken was… their contract continues.

If they were willing to violate the rules of the people employing them & fail in such a large way… why haven’t we fined them and moved on? There have to be other companies out there who might not decide to just take a copy of the folder marked do not copy and hand it out to the first cute hacker that comes along.

While we know about a photo database, which seems weird to have no other info indexed with it… what other contracts do they have, what other data haven’t they admitted they lost yet? Sure hope they didn’t have the login and password to the CBP database saved in notepad.

Bobvious says:

1st, 4th and 5th Amendment Audits at Border checks

There are many videos on Youtube, made by people exercising their right to silence, or 1st Amendment rights, or whichever challenge to guvmint overreach happens to be flavour of the month.

29 Miles inside the US Border

While these are often frustrating and sometimes entertaining, I’ve yet to see the coal-rollers enter one of these checkpoints, either singularly or in convoy.

That would make for some interesting video.

R,og S/ says:

re: CJIS /CHRI Database

It would be interesting to pull a few FOIAs and probe the Pasadena 3M Cogent identity management database, because it had a few in-house-out-to -vendor Level 3 breaches in the runup to the 2016 election.

Oh, wait! Its now Gemaltos database after 3M used it as a political cat box….you remember Gemalto, dont you? Yeah, the NSA hacked all its phone chips….

Oh, wait! Gemalto sold the company quicker than you can say hot potat…..

Anonymous Coward says:

OK: now I’m mildly confused. The first wave of reports that came out were reporting that the breach involved 100,000 records on an unnamed Mexico border crossing.

The next wave stated that no, it was a Canadian border crossing, but the number stayed the same.

Now it looks like the guess on Mexico border crossing came from the Register article on Perceptics, assuming that it was these Next Gen readers that had data leaked.

So where did the Canadian bit come from? Are we talking one breach here, or two?

And as I’ve said elsewhere: the hacking of the contractor is NOT the breach that should be being published by CBP. That should be published by the contractor.

What should be published by CBP is that THEIR data policy was breached, with a contractor stealing information off of their servers against policy. And THAT should have been flagged up as soon as it happened. Data security isn’t done by "binding contracts" — it’s done by programmatically making it difficult to move the data in the first place. The contracts are just to enforce this and make people think twice about putting in EXTRA effort to move data around the safeguards already in place.

ECA (profile) says:


A contractor..
Which is Probably part of the system, installed, got or was infected..
And his system entered into the data base, that SHOULD have been restricted(passworded), insted oa Sample set.. and the Contractor or the BOT/VIRUS inside his PORTABLE laptop or remote computer, THAT WASNT USED ONLY for this type of job(thats how infections happen) Picked up all this data…2-3-10-100 gigs of video data..

No one
checked his system.(not hard, just check the HD for the space available when he came and went)
monitored his access..
DOCUMENTED that this file/directory as accessed..because it wasnt passworded/restricted/a warning bell wasnt setup to tell a SYSOP that this PRIVATe file had been accessed and COPIED..
EVEN scanned his SYSTEM before he even attached to the system. Which can be done by the system when a person connects..

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »