Inspector General's Report Confirms CBP Contractor Was Hacked, Resulting In Sensitive Info Making Its Way To The Dark Web
from the collect-it-all,-protect-it-barely dept
Last year, a CBP vendor suffered a data breach affecting more than 100,000 people who had crossed the border at checkpoints. The CBP refused to name the contractor involved in the breach, but internal documents indicated it was Perceptics. Perceptics provided and maintained the system that photographed cars and their occupants as they crossed the border.
The vendor’s involvement in the breach has now been publicly confirmed, thanks to an Inspector General’s investigation of the incident. Sensitive information that was never supposed to be located on Perceptics’ servers was obtained by hackers and (partially) distributed on the dark web. [h/t Motherboard]
The report [PDF] lists the extent of the damage, which was fairly minimal given what was involved.
The subcontractor’s network was later the subject of a malicious cyber attack that compromised approximately 184,000 traveler images from CBP’s facial recognition pilot. After removing duplicate images, CBP reduced its estimate to 100,000 individual images, of which they discovered 19 were posted to the Dark Web.
From which the IG draws this inevitable conclusion:
This incident may ultimately result in damage to the public’s trust in Government biometric programs.
Yes, whatever trust there is that hasn’t been damaged yet, I guess.
Perceptics was authorized to be on-site to perform maintenance work. It was never authorized to transfer any photos to its own servers. But it did. And it did this in the worst way possible.
According to documentation from Unisys and CBP, Perceptics subsequently admitted to Unisys that it had downloaded approximately 184,000 traveler images from the equipment in conjunction with the work order tickets. Perceptics personnel accomplished this using an unencrypted USB hard drive that was eventually transported back to their corporate office in Knoxville, Tennessee. From there, subcontractor personnel uploaded CBP’s images to a Perceptics server.
This unauthorized data exfiltration led directly to another unauthorized data exfiltration.
Perceptics’ corporate network was subjected to a ransomware attack at some point prior to May 13, 2019. The attack compromised thousands of driver and passenger images that CBP captured during the VFS pilot. CBP determined that more than 184,000 traveler facial image files, as well as 105,000 license plate images from prior pilot work, were stored on the subcontractor’s network at the time of the ransomware attack. In addition, the hacker stole an array of contractual documents, program management documents, emails, system configurations, schematics, and implementation documentation related to CBP license plate reader programs.
Perceptics refused to pay the ransom and the hacker (d/b/a “Boris Bullet Dodger”) released “9,000 unique files” on the dark web.
The Inspector General says Perceptics should never have taken files offsite. But it’s not the only party to blame. CBP should have made this far more difficult to achieve.
Perceptics was able to make unauthorized use of CBP’s biometric data, in part because CBP did not implement all available IT security controls, including an acknowledged best practice. Additional IT security controls in place during the pilot could have prevented Perceptics from violating contract clauses and using an unencrypted hard drive to access and download biometric images at the pilot site.
The rest of the report is the CBP promising to secure barn doors as per the IG’s recommendations. Certainly this will have some effect going forward. But the fact remains the CBP collects a lot of personal information that can be tied to border crossers’ vehicles. All of this in one place continues to make the CBP — and most government agencies — tempting targets for malicious hackers.