Cyberattack exposes travelers’ photos, says US border agency

The images, collected over one and a half months, were taken as the travelers crossed an unspecified border point

The United States’ Customs and Border Protection (CBP) has announced that a security incident at one of its subcontractors has compromised the photos of thousands of travelers entering and departing the country.

In addition to the photos of the people’s faces, the stolen data also include images showing the license plates of the cars they used for entering and exiting the US. The data had been collected by CBP over a period of one and a half months as the travelers crossed an unspecified border point, according to The Washington Post, which broke the news.

In a full statement, shared by BuzzFeedNews, the agency said that the breached subcontractor had violated mandatory security protocols and acted without CBP’s knowledge or authorization when transferring the data to its own systems.

The attack against the subcontractor’s network came to CBP’s knowledge on May 31st. Fewer than 100,000 people were affected and the data, stolen by parties unknown, had not surfaced on the internet or dark web, said the agency. No additional information or other photos, including from passports or other documents, were impacted, but details about the incident are generally rather scarce.

In fact, the agency never named the source of the breach, but reports imply that its name appears to have come to light regardless – if only due to an apparent mistake. The Washington Post said that the statement that CBP shared with its reporters in regard to the incident contained “Perceptics” in the title, although CBP declined to confirm later whether or not the breach had stemmed from the company of this name.

A provider of license plate readers for CBP, Perceptics appears to have been implicated in a recent data dump in which, according to The Register, somebody offered files reportedly exfiltrated from Perceptics for free on the dark web.

Meanwhile, the incident disclosed by CBP comes as the agency continues to push for facial recognition software at airports and land crossings alike. The agency aims to scale up its “biometric entry-exit system” so that facial recognition systems are used on 97 percent of all outbound air passengers by 2021.

Facial recognition also came into the spotlight three weeks ago, when the City of San Francisco banned the use of this technology by city agencies. ESET’s Global Security Evangelist Tony Anscombe weighed in on the decision, as well as on some of the broader implications of the technology, in this article.