CBP biometric pilot data breached from Perceptics winds up on dark web
The report from the U.S. Office of the Inspector General (OIG) on last year’s breach of biometric data from a pilot being carried out by Customs and Border Protection at vehicle border crossings has found significant problems with the agency’s security controls, and recommended three actions to address them.
The 31-page ‘Review of CBP’s Major Cybersecurity Incident during a 2019 Biometric Pilot’ examines the breach from the Vehicle Face System (VFS) at the Anzalduas, Texas Port of Entry, considering how data is transferred to the VFS database, the protections applied to the data, and where they failed.
The breach included 184,000 traveler images from the facial recognition pilot, at least 19 of which found their way to the dark web. CBP hired Unisys Corporation to design, develop and install the biometric system, and the company contracted Perceptics to provide a facial image capture solution. The company already provided similar technology to CBP for other border crossings. Perceptics was reported at the time to have downloaded facial biometric data in order to train its own facial recognition algorithm, but the company has been allowed to continue working with CBP after agreeing to new security controls.
“Perceptics staff directly violated DHS security and privacy protocols when they downloaded CBP’s sensitive PII from an unencrypted device and stored it on their own network.” The fact that the contractor was able to do so indicates the inadequacy of CBP’s controls, according to the report.
DHS policies, including the security and privacy protocols set out in the DHS 4300A Sensitive Systems Handbook, mandate strict controls of sensitive data in CBP systems, and failures of unauthorized access and improper storage made the pilot data vulnerable, OIG finds. When Perceptics was hit with a ransomware attack, at some point before May 13, 2019, a hacker stole images, as well as contractual and other documents related to CBP programs.
Perceptics was found to have violated rules for behavior by transferring data to its network, protection of sensitive information by using an unencrypted USB, and reporting, by informing CBP approximately 7 days after Unisys.
The breach had a significant detrimental impact on public trust in the program, OIG notes.
The OIG makes three recommendations to CBP, each of which the agency agrees with.
CBP is recommended to implement all mitigation and policy recommendations identified in CBP threat assessments, including USB device restrictions. The agency is also urged to coordinate with the Office of Field Operations Deputy Executive Assistant Commissioner to ensure all additional security controls are implemented throughout Biometric Entry/Exit pilot locations, and to establish a plan for routine assessments of third-party equipment involved in biometric data collection to ensure compliance with the agency’s policies.