Hackers swipe traveler photos from CBP subcontractor

This story was updated June 10 with additional information.

Customs and Border Protection acknowledged June 10 that images of travelers and license plates collected under its authority were stolen in a breach of a subcontractor's network.

CBP learned on May 31 that a subcontractor had stored copies of traveler images and license plates on its own network. That network was "subsequently compromised by a malicious cyber-attack," according to a statement supplied to FCW by a CBP spokesperson. According to the statement, CBP networks were not hacked in the incident.

The agency did not indicate what subcontractor or what program was involved in the breach, but a statement cited in a Washington Post report suggested that Perceptics, which makes license plate reader technology, was involved.

The breach involved images of fewer than 100,000 individuals, a CBP spokesperson said in an emailed update on the incident in the evening of June 10. The photographs were of vehicles coming and going through "a few specific lanes" at a land border entry point over a period of one-and-a-half months. According to CBP, the images did not include any identifying information about the individuals involved.

CBP and its parent agency, the Department of Homeland Security, are increasingly relying on biometric services and other photographic tools to conduct real-time surveillance of travelers at borders and in the U.S. interior.

Such programs are not well publicized, but CBP maintains automated license plate readers at ports of entry and Border Patrol checkpoints to collect data on vehicles entering and leaving the United States. In addition to collecting license plate and car data, it records physical location, time and date -- and may also capture images of vehicle occupants.

A privacy impact assessment published in December 2017 when CBP and the Drug Enforcement Agency entered into a data sharing agreement around license plate data indicated that in addition to maintaining readers at border crossings, CBP is authorized to deploy covert and mobile readers at any location within 100 miles of a border. Law enforcement officials can set up "hot lists" of plates to obtain real-time alerts of activity.

CBP is also working with airline carriers on a biometric entry/exit system to compare photographs of travelers to passport data and other information to prevent individuals from traveling on false documents in and out of U.S. international airports. Facial recognition systems are also being deployed at U.S. land border crossings. CPB specified in an update that the breach did not involve passport or travel document photographs, or images collected from the airport-based entry/exit system.

Recently, lawmakers at a House Oversight and Government Reform Committee hearing chastised officials from DHS and the FBI for deploying biometric and facial recognitions systems that interact with and search against law enforcement databases despite dubious legal justifications.

CBP said in its June 10 statement that it had "removed from service all equipment related to the breach and is closely monitoring all CBP work by the subcontractor." The spokesperson also noted that "as of today, none of the image data has been identified on the Dark Web or internet."

Rep. Bennie Thompson (D-Miss.), the chairman of the House Homeland Security Committee, reacted to the news with the announcement he would hold hearings on DHS use of biometrics next month.

"Government use of biometric and personal identifiable information can be valuable tools only if utilized properly. Unfortunately, this is the second major privacy breach at DHS this year. We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public," Thompson said.