Breached license plate recognition provider back to work for CBP
Perceptics, the automated license plate reader company that suffered a massive breach of data it had collected under contract to U.S. Customs and Border Protection (CBP), has agreed to new security controls and will be allowed to continue working with the agency, The Washington Post reports.
At the time of the data breach, an anonymous official said the data was being used to train a facial recognition algorithm, in violation of the contract’s terms. The system was hacked, and the hackers posted its contents online after attempting to extort ransom out of Perceptics. In addition to facial biometric data, the leak exposed confidential agreements, hardware schematics, and other records the government did not want shared publicly, according to The Post.
Some members of Congress expressed outrage with the breach and concern about the conditions that enabled it, and Perceptics, after close to 30 years as a CBP contractor, was suspended from federal contracts in July in response to “evidence of conduct indicating a lack of business honesty or integrity.” A few months later, the agreement between Perceptics and CBP to allow the company’s federal government activities to resume has been made public.
The agreement between CBP and Perceptics was signed last month, and acknowledges that the breach was unacceptable, but somehow also finds it was not unethical or illegal. Perceptics apparently informed Unisys of the breach in its aftermath, but many details, such as how the system was compromised and why CBP learned about it only three weeks later, are still not known.
CBP says in the agreement that the suspension is lifted “only with adequate assurance that doing business with Perceptics does not pose an undue risk.” The agreement also notes that the there is no evidence the government ever reviewed the security requirements of Perceptics systems, and that the company cannot inform the people whose data was stolen, as it is unable to identify them.
Perceptics did agree to implement new privacy and security measures, pay for an independent evaluation of its compliance, as well as other reporting measures.
“It’s easier for CBP to stick with the status quo rather than re-engineering their entire surveillance apparatus,” Electronic Frontier Foundation researcher Dave Maas told The Post. “But it’s also disappointing. I’d like to see agencies — when they find the technology they’re dealing with is vulnerable, and that the contractors have acted irresponsibly — revisit not just who they’re contracting with but how they use the technology in general. … Bigger and bigger breaches are going to happen.”
CBP officials say that the FBI is investigating the breach, though the FBI will not confirm that an investigation is taking place.
Perceptics systems are used at land border crossings at both the Northern and Southern borders of the U.S.