DHS watchdog weighs in on 2019 biometrics leak
- By Mark Rockwell
- Sep 25, 2020
A Department of Homeland Security (DHS) Office of Inspector General report released on Sept. 21 provided details on a 2019 leak of biometric data from Customs and Border Protection (CBP) systems that was exposed in a ransomware attack on a subcontractor's network.
CBP acknowledged in June, 2019, that images of travelers and license plates collected under its authority in a Texas technology pilot were stolen in a breach of a subcontractor's network.
The data breach compromised approximately 184,000 traveler images from the agency's facial recognition pilot at the Anzalduas border crossing at McAllen, Texas, according to the DHS OIG report. That project tested technology that took images of volunteer travelers' faces and license plates on vehicles moving through traffic lanes at the border crossing.
The data was leaked from subcontractor Perceptics' systems after the company transferred it from CBP's system without the agency's knowledge, according to the report. Perceptics accessed the data from the CBP system through an unsecured serial bus port in a locked enclosure. CBP officials told the DHS OIG that Perceptics personnel accessed the enclosure for maintenance, but the company never asked to access the data, much less transfer it to their systems. Because of these circumstances CBP said it disagreed with the report's assessment that the agency did not "adequately safeguard" the biometrics data.
"In short, the main issue of the incident was a subcontractor who disregarded the terms of their contract and normal ethical business principles," Henry Moak, CBP's chief accountability officer, wrote in reply to the OIG report. The agency also terminated its relationship with Perceptics when the breach was uncovered last year,
Over a dozen images, said the report, wound up on the dark web after the subcontractor refused to pay the ransom.
The DHS OIG recommended DHS' Office of Information Technology review policies restricting USB devices and implement stronger encryption for the trial. The watchdog also recommended coordinating those stronger protections for other DHS biometric programs, particularly the agency's biometric entry/exit program.
That program, being piloted at a number of U.S. airports and seaports, collects images of foreign nationals upon their entry to the U.S. and adds them to a database that can be used to confirm that the same individual is departing.
The DHS OIG recommended CPB's Office of Field Operations set up a plan for the entry/exit program to regularly assess third-party equipment that supports the program to insure security and privacy compliance.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at [email protected] or follow him on Twitter at @MRockwell4.