Inspector General's Report Confirms CBP Contractor Was Hacked, Resulting In Sensitive Info Making Its Way To The Dark Web

from the collect-it-all,-protect-it-barely dept

Last year, a CBP vendor suffered a data breach affecting more than 100,000 people who had crossed the border at checkpoints. The CBP refused to name the contractor involved in the breach, but internal documents indicated it was Perceptics. Perceptics provided and maintained the system that photographed cars and their occupants as they crossed the border.

The vendor's involvement in the breach has now been publicly confirmed, thanks to an Inspector General's investigation of the incident. Sensitive information that was never supposed to be located on Perceptics' servers was obtained by hackers and (partially) distributed on the dark web. [h/t Motherboard]

The report [PDF] lists the extent of the damage, which was fairly minimal given what was involved.

The subcontractor’s network was later the subject of a malicious cyber attack that compromised approximately 184,000 traveler images from CBP’s facial recognition pilot. After removing duplicate images, CBP reduced its estimate to 100,000 individual images, of which they discovered 19 were posted to the Dark Web.

From which the IG draws this inevitable conclusion:

This incident may ultimately result in damage to the public’s trust in Government biometric programs.

Yes, whatever trust there is that hasn't been damaged yet, I guess.

Perceptics was authorized to be on-site to perform maintenance work. It was never authorized to transfer any photos to its own servers. But it did. And it did this in the worst way possible.

According to documentation from Unisys and CBP, Perceptics subsequently admitted to Unisys that it had downloaded approximately 184,000 traveler images from the equipment in conjunction with the work order tickets. Perceptics personnel accomplished this using an unencrypted USB hard drive that was eventually transported back to their corporate office in Knoxville, Tennessee. From there, subcontractor personnel uploaded CBP’s images to a Perceptics server.

This unauthorized data exfiltration led directly to another unauthorized data exfiltration.

Perceptics’ corporate network was subjected to a ransomware attack at some point prior to May 13, 2019. The attack compromised thousands of driver and passenger images that CBP captured during the VFS pilot. CBP determined that more than 184,000 traveler facial image files, as well as 105,000 license plate images from prior pilot work, were stored on the subcontractor’s network at the time of the ransomware attack. In addition, the hacker stole an array of contractual documents, program management documents, emails, system configurations, schematics, and implementation documentation related to CBP license plate reader programs.

Perceptics refused to pay the ransom and the hacker (d/b/a "Boris Bullet Dodger") released "9,000 unique files" on the dark web.

The Inspector General says Perceptics should never have taken files offsite. But it's not the only party to blame. CBP should have made this far more difficult to achieve.

Perceptics was able to make unauthorized use of CBP’s biometric data, in part because CBP did not implement all available IT security controls, including an acknowledged best practice. Additional IT security controls in place during the pilot could have prevented Perceptics from violating contract clauses and using an unencrypted hard drive to access and download biometric images at the pilot site.

The rest of the report is the CBP promising to secure barn doors as per the IG's recommendations. Certainly this will have some effect going forward. But the fact remains the CBP collects a lot of personal information that can be tied to border crossers' vehicles. All of this in one place continues to make the CBP -- and most government agencies -- tempting targets for malicious hackers.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: border crossing, cbp, dark web, facial recognition, hacked, inspector general, leaked, security
Companies: perceptics, unisys


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That Anonymous Coward (profile), 29 Sep 2020 @ 3:46am

    Gee its almost like they think you can just hand out credit monitoring and that makes everything better.

    Meanwhile all the O2 is being sucked out of the room by ZOMG 230 screaming while after to many hacks to count, to many contractors violating the law, they still haven't demanded tighter security with actual punishments & protections. But if we pay a few billion more for shitty planes we won't ever actually use we'll be safe again.

    Something something Trump of all people should know how easy it is to leverage people when they have nothing & someone has dirt on them.

    reply to this | link to this | view in chronology ]

  • icon
    hij (profile), 29 Sep 2020 @ 5:27am

    DOJ rightly focused on important things

    So glad the DOJ is focused on what is truly important, encryption.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Sep 2020 @ 6:26am

    Low-Hanging Fruit

    CPB Fails

    • Sir, you're not allowed to take recordable media onsite.
    • Download access denied (network layer).
    • Sir, I need to check the content of that thumb drive.

    Perceptics Fails

    • As contractors, we must be ethical.
    • As custodians of client data, we must be competent.

    All a hacker needs is the understanding that in many circumstances these are usual levels of laziness, incompetence, and dishonesty. Pick a third-rate government agency with no specialization in IT security and hack their brand-X, private sector consultants...harvest time!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Sep 2020 @ 10:35am

      Re: Low-Hanging Fruit

      Even lower:

      Don't be doing this recording and storing of everything in the first place.

      Stop contracting out anything, really.

      reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 29 Sep 2020 @ 8:24am

    And here I was worried for a second...

    And of course this is the same government that is trying to undermine security for everyone by mandating broken encryption because they're too lazy and/or corrupt to do their damn jobs.

    reply to this | link to this | view in chronology ]

  • identicon
    Chris Brand, 29 Sep 2020 @ 9:39am

    Interesting language

    Perceptics "violat[ed] contract clauses"
    The hacker "stole"

    of course in reality they both did the same thing - copied data that they weren't allowed to.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Sep 2020 @ 10:37am

      Re: Interesting language

      Exactly this. CBP is pretty much doing it also when creating and storing data from meatspace.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.