The Washington Post

Customs data breach

Photos of travelers stolen, raising fears of expanded surveillan­ce power

- BY DREW HARWELL AND GEOFFREY A. FOWLER drew.harwell@washpost.com geoffrey.fowler@washpost.com Nick Miroff, Tony Romm and Ellen Nakashima contribute­d to this report.

Travelers’ photos compromise­d in “malicious cyberattac­k.”

U.S. Customs and Border Protection officials said Monday that photos of travelers were compromise­d as part of a “malicious cyberattac­k,” raising concerns over how federal officials’ expanding surveillan­ce efforts could imperil Americans’ privacy.

Customs officials said in a statement Monday that the images, which included photos of people’s faces and license plates, were compromise­d as part of an attack on a federal subcontrac­tor.

CBP makes extensive use of cameras and video recordings at airports and land border crossings, where images of vehicles are captured. Those images are used as part of a growing agency facialreco­gnition program designed to track the identity of people entering and exiting the United States.

CBP says airport operations were not affected by the breach, but declined to say how many people might have had their images stolen. CBP processes more than a million passengers and pedestrian­s crossing the U.S. border on an average day, including more than 690,000 incoming land travelers.

A CBP statement said that the agency learned of the breach on May 31 and that none of the image data has been identified “on the Dark Web or Internet.” But reporters at the Register, a British technology news site, reported late last month that a large haul of breached data from the firm Perceptics was being offered as a free download on the “dark net.”

CBP would not say which subcontrac­tor was involved. But a Microsoft Word document of CBP’s public statement, sent Monday to Washington Post reporters, included the name “Perceptics” in the title: “CBP Perceptics Public Statement.”

Perceptics representa­tives did not immediatel­y respond to requests for comment.

CBP spokeswoma­n Jackie Wren said she was “unable to confirm” whether Perceptics was the source of the breach.

One U.S. official, who spoke on the condition of anonymity because they were not authorized to discuss the breach, said it was being described inside CBP as a “major incident.” The official said Perceptics was attempting to use the data to refine its algorithms to match license plates with the faces of a car’s occupants, which the official said was outside of CBP’s sanctioned use. The official said data from travelers crossing the Canadian border was also included.

The breach raised alarms in Congress, where lawmakers have questioned whether the government’s expanded surveillan­ce measures could threaten constituti­onal rights and open millions of innocent people to identity theft.

“If the government collects sensitive informatio­n about Americans, it is responsibl­e for protecting it — and that’s just as true if it contracts with a private company,” Sen. Ron Wyden (D-Ore.) said in a statement to The Post. “Anyone whose informatio­n was compromise­d should be notified by Customs, and the government needs to explain exactly how it intends to prevent this kind of breach from happening in the future.”

Wyden said the theft of the data should alarm anyone who has advocated expanded surveillan­ce powers for the government. “These vast troves of Americans’ personal informatio­n are a ripe target for attackers,” he said.

Civil rights and privacy advocates said that the theft of the informatio­n is a sign that the government’s growing database of identifyin­g imagery has become an alluring target for hackers and cybercrimi­nals.

“This breach comes just as CBP seeks to expand its massive facerecogn­ition apparatus and collection of sensitive informatio­n from travelers, including license plate informatio­n and social media identifier­s,” said Neema Singh Guliani, senior legislativ­e counsel at the American Civil Liberties Union. “This incident further underscore­s the need to put the brakes on these efforts and for Congress to investigat­e the agency’s data practices. The best way to avoid breaches of sensitive personal data is not to collect and retain it in the first place.”

CBP said copies of “license plate images and traveler images collected by CBP” had been transferre­d to the subcontrac­tor’s company network, violating the agency’s security and privacy rules. The subcontrac­tor’s network was then attacked and breached. No CBP systems were compromise­d, the agency said.

It’s unclear whether passport or facial-recognitio­n photos were included in the breach.

Perceptics and other companies offer automated licensepla­te-reading devices that federal officials can use to track a vehicle, or its owner, as it travels on public roads.

Immigratio­n agents have used such databases to track down people who may be in the country illegally. Police agencies have also used the data to look for potential criminal suspects.

Perceptics, based in Tennessee, has championed its technology as a key part of keeping the border secure. “You want technology that generates data you can trust and delivers it when and where you need it most,” a marketing website says.

The company also said recently that it has installed license-plate readers at 43 U.S. Border Patrol checkpoint lanes across Arizona, California, New Mexico and Texas, saying they offered border guards “superior images with the highest license plate read rate accuracy in North America.”

The federal government, as well as the group of private contractor­s it works with, has access to a swelling database of people’s cars and faces, which it says is necessary to enhance security and enforce border laws.

Rep. Bennie Thompson (DMiss.), chairman of the House Homeland Security Committee, said he intends to hold hearings next month on Homeland Security’s use of biometric informatio­n.

“Government use of biometric and personal identifiab­le informatio­n can be valuable tools only if utilized properly. Unfortunat­ely, this is the second major privacy breach at DHS this year,” Thompson said, referring to a separate breach in which more than 2 million U.S. disaster survivors had their informatio­n revealed by the Federal Emergency Management Agency. “We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public.”

 ?? JOHN MOORE/GETTY IMAGES ?? A U.S. surveillan­ce camera monitors the internatio­nal bridge between Mexico and the United States in Hidalgo, Tex.
JOHN MOORE/GETTY IMAGES A U.S. surveillan­ce camera monitors the internatio­nal bridge between Mexico and the United States in Hidalgo, Tex.

Newspapers in English

Newspapers from USA