![](\"https:\/\/media.wired.com\/photos\/5cfec76203b458960e696669\/master\/pass\/GettyImages-1028263338.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Brian Barrett| Date: Mon, 10 Jun 2019 22:43:38 +0000<\/strong><\/p>\n In its rush <\/span>to gather biometric data from travelers in the US, Customs and Border Protection has apparently neglected basic safeguards to protect it. One of its subcontractors was recently breached, leaving photos of travelers and license plates in the hands of hackers.<\/p>\n The Washington Post<\/em> first reported<\/a> the incident, whose full scope remains unclear. But the hack has raised sharp questions about the agency\u2019s already controversial push for biometrics. Facial recognition scans have become more routine at airports<\/a>; CBP wants it<\/a> in the top 20 US airports by 2021.<\/p>\n \u201cThe CBP program should be suspended pending an investigation,\u201d says Jeramie Scott, senior counsel at the Electronic Privacy Information Center. \u201cThe agency simply should not collect this sensitive personal information if it cannot safeguard it.\u201d<\/p>\n CBP declined to name the breached subcontractor to the Post<\/em><\/a>, but apparently sent the news outlet a Microsoft Word document titled \u201cCBP Perceptics Public Statement.\u201d The Word file strongly suggests that Tennessee-based Perceptics, which makes license plate readers and has a decades-long<\/a> relationship with CBP, is the vendor in question.<\/p>\n That makes even more sense when you consider that a hacker calling themselves \u201cBoris Bullet-Dodger\u201d dumped hundreds of gigabytes of data stolen from Perceptics on the dark web in May. It\u2019s unclear if that breach, first reported by The Register<\/a><\/em>, is the same as the one CBP copped to Monday. The former became public on May 23; CBP says it found out that its database had been compromised over a week later.<\/p>\n \u201cOn May 31, 2019, CBP learned that a subcontractor, in violation of CBP policies and without CBP\u2019s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor\u2019s company network,\u201d the agency said in a statement. \u201cThe subcontractor\u2019s network was subsequently compromised by a malicious cyberattack. No CBP systems were compromised.\u201d<\/p>\n Perceptics did not respond to a request for comment. But regardless of which specific vendor the breach stems from, the upshot is the same.<\/p>\n CBP has given precious little information about how many people were impacted, a troubling lack of disclosure. It\u2019s not even clear exactly what type of data\u2014and whether it extends to biometrics beyond photos\u2014the database contained. While CBP says "none of the image data has been identified on the Dark Web or internet,\u201d the dump of hacked Perceptics data just a few short weeks ago doesn\u2019t give much confidence that this breach is contained, or will stay that way.<\/p>\n In short, the only people who know the full scope of this breach are CBP, an unnamed subcontractor, and whoever pulled off the hack.<\/p>\n Without more clarity on the contents of the database in question, it\u2019s hard to say for sure in terms of the impact on an individual level. Probably pretty bad, though! And on principle, it\u2019s close to a worst-case scenario.<\/p>\n That CBP itself wasn\u2019t directly hacked doesn\u2019t make the situation any better. In fact, it arguably makes things worse; the agency let a third party access incredibly sensitive data, and didn\u2019t ensure that appropriate security measures were in place. That it treats an image database of private citizens with the same lack of care that it does a Microsoft Word doc should set off very loud alarm bells.<\/p>\n \u201cCBP requires that all contractors and service providers maintain appropriate data integrity and cybersecurity controls and follow all incident response notification and remediation procedures,\u201d the agency said in its statement. \u201cCBP takes its privacy and cybersecurity responsibilities very seriously and demands all contractors to do the same.\u201d It\u2019s a fine sentiment; the facts of the case belie it.<\/p>\n