FB pixel

Breached CBP contractor may have been training biometric facial recognition algorithm


Facial images of travelers and license plate data have been stolen from a U.S. Customs and Border Protection (CBP) subcontractor, which appears to have been trying to train a facial biometric algorithm with CBP data it was not supposed to have, drawing immediate criticism from privacy advocates and concerned lawmakers. It is unclear at this time if the breach, first reported by The Washington Post, includes facial images captured for biometric matching as part of CBP’s Biometric Exit program.

An official, speaking anonymously, told The Post that the subcontractor was attempting to use the images to train its algorithms to match license plates with the faces of car occupants, which was outside of the approved use of the data. The images came from the Canadian border, according to the source, and a state actor is not suspected inside the agency.

Images of fewer than 100,000 people have been breached as part of an attack on the federal contractor, a statement from CBP said. While the agency did not identify the subcontractor to the Post, it did provide a statement titled “CBP Perceptics Public Statement.” Perceptics is a company based in Tennessee that provides license plate readers, and has claimed to be CBP’s sole provider of automatic license plate readers for U.S. land borders. Perceptics was hacked in May, and The Register reported thousands of files, including images the publication presumed were of license plates, were available on the dark web.

CBP says in its statement that none of the image data stolen has been identified on the dark web, so it may be a separate incident. The agency also says its own network was unaffected. No passport or other travel document data was stolen, CBP says, and “no images of airline passengers from the air entry/exit process were involved.”

The statement also says that the contractor violated CBP’s policies and mandatory security and privacy protocols in its contract by transferring images to its company network.

Senator Ron Wyden, who has called for the use of facial biometrics by CBP and law enforcement to be scrutinized by the Government Accountability Office (GAO), said the government now has a burden to explain how it will prevent a repeat.

“This incident should be a lesson to those who have supported expanding government surveillance powers – these vast troves of Americans’ personal information are a ripe target for attackers,” said Wyden in a statement reported by TechCrunch.

“The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place,” says ACLU Seior Legislative Counsel Neema Singh Guliani.

The Hill reports that the House Homeland Security Committee, meanwhile, is preparing to hold hearings into the use of biometrics by the Department of Homeland Services (DHS), of which CBP is a part. Committee Chairman Bennie Thompson (D-Miss.) announced the hearing, and criticized DHS for the breach.

“Government use of biometric and personal identifiable information can be valuable tools only if utilized properly,” Thompson said. “Unfortunately, this is the second major privacy breach at DHS this year. We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public.”

The House Committee on Oversight and Reform has held its first two hearings into the use of facial recognition, and expressed bi-partisan support for the rapid enactment of regulation on the technology.

Article Topics

 |   |   |   |   | 

Latest Biometrics News


DHS awards SVIP contract to Procivis for decentralized identity software

Procivis AG, a subsidiary of Swiss institution Orell Füssli, has been awarded a tender through the U.S. Department of Homeland…


IDnow rides online betting wave from UEFA Euro Championship

IDnow is capitalizing on UEFA European Football Championship fever, registering over eight times more identity verification requests on sports betting…


Android 15 integrates biometric security across the board

In the latest Android 15 Beta 3 release, significant progress has been made in the area of biometric authentication. In…


Vote begins on biometric injection attack standard

Europe’s standard for biometric data injection attacks is on track to be published in October of this year, and could…


Police Scotland engages public on biometric data rights amid cloud storage concerns

Police Scotland has commenced the distribution of an information leaflet to all individuals in police custody who have their biometric…


‘Facial recognition is the easy part’: digital travel ID pilot results are in

Air travel has been getting more complicated. From security and passport checks to special documents such as COVID-19 certificates, passengers…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events