FB pixel

CBP biometric pilot data breached from Perceptics winds up on dark web

OIG mitigation and policy recommendations to be implemented
CBP biometric pilot data breached from Perceptics winds up on dark web
 

The report from the U.S. Office of the Inspector General (OIG) on last year’s breach of biometric data from a pilot being carried out by Customs and Border Protection at vehicle border crossings has found significant problems with the agency’s security controls, and recommended three actions to address them.

The 31-page ‘Review of CBP’s Major Cybersecurity Incident during a 2019 Biometric Pilot’ examines the breach from the Vehicle Face System (VFS) at the Anzalduas, Texas Port of Entry, considering how data is transferred to the VFS database, the protections applied to the data, and where they failed.

The breach included 184,000 traveler images from the facial recognition pilot, at least 19 of which found their way to the dark web. CBP hired Unisys Corporation to design, develop and install the biometric system, and the company contracted Perceptics to provide a facial image capture solution. The company already provided similar technology to CBP for other border crossings. Perceptics was reported at the time to have downloaded facial biometric data in order to train its own facial recognition algorithm, but the company has been allowed to continue working with CBP after agreeing to new security controls.

“Perceptics staff directly violated DHS security and privacy protocols when they downloaded CBP’s sensitive PII from an unencrypted device and stored it on their own network.” The fact that the contractor was able to do so indicates the inadequacy of CBP’s controls, according to the report.

DHS policies, including the security and privacy protocols set out in the DHS 4300A Sensitive Systems Handbook, mandate strict controls of sensitive data in CBP systems, and failures of unauthorized access and improper storage made the pilot data vulnerable, OIG finds. When Perceptics was hit with a ransomware attack, at some point before May 13, 2019, a hacker stole images, as well as contractual and other documents related to CBP programs.

Perceptics was found to have violated rules for behavior by transferring data to its network, protection of sensitive information by using an unencrypted USB, and reporting, by informing CBP approximately 7 days after Unisys.

The breach had a significant detrimental impact on public trust in the program, OIG notes.

The OIG makes three recommendations to CBP, each of which the agency agrees with.

CBP is recommended to implement all mitigation and policy recommendations identified in CBP threat assessments, including USB device restrictions. The agency is also urged to coordinate with the Office of Field Operations Deputy Executive Assistant Commissioner to ensure all additional security controls are implemented throughout Biometric Entry/Exit pilot locations, and to establish a plan for routine assessments of third-party equipment involved in biometric data collection to ensure compliance with the agency’s policies.

Article Topics

 |   |   |   |   |   |   |   |   |   | 

Latest Biometrics News

 

Deepfakes a ‘now problem’ as EU AI Act passes compliance deadline: Reality Defender

First it was Joe Biden, Kamala Harris and Taylor Swift. Now it’s Scarlett Johannson, Emmanuel Macron and Italy’s Defense Minister…

 

OneID raises £16 million

UK digital verification service OneID has secured new funding amid a rise of interest in digital identity among the country’s…

 

Digital ID verification can make property transactions more efficient, less prone to fraud

In the UK, Russia, South Korea, India and Pakistan, biometrics are making their way into real estate transactions, as digital…

 

IDV experts ponder death and resurrection of document verification

Is document verification dead? The question hangs over a debate hosted by Peak IDV CEO, Steve Craig. Five industry experts…

 

Jamaica operationalizing national digital ID with data exchange platform

Jamaica will make its digital identity available to all of its citizens, Custos of Kingston Steadman Fuller said on Thursday…

 

Philippines looks to boost digital ID adoption with rebrand, more services

The Philippines is hoping to boost the acceptance of its national digital identity with a new rebrand. The country is…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events