Thousands of photos of travelers and their license plates were compromised at a point of entry on the U.S.-Canadian border in a “malicious cyberattack,” officials say.
U.S. Customs and Border Patrol (CBP) learned on May 31st that a subcontractor they were working with transferred images of license plates and people crossing the border from CBP to their company network, violating CBP policies and contract, according to a CBP spokesperson.
“Initial reports” showed the compromised photos were only from one port of entry and nearly 100,000 people were affected by it. No other information was compromised and no CBP networks or databases were breached, the CBP spokesperson stated. (RELATED: WH Immigration Plan Will Focus On Border Security And Merit-Based Immigration)
Perceptics is U.S. technology company that focuses on border security, electronic toll collection, commercial vehicle enforcement and highway and city security. Last month, the company had a major breach of data that got leaked onto the dark web, according to British technology news site The Register.
May 23: The Reg: Perceptics, a license-plate recognition tech vendor used by US border cops, was hacked https://t.co/FQeDEEWZ14
June 10: WaPo: “US Customs and Border Protection says photos of travelers … were recently taken in a data breach” – believed to be Perceptics
— The Register (@TheRegister) June 10, 2019
The CBP official, however, claims that none of the photos or data stolen are on the internet or dark web.
An unnamed U.S. official spoke to The Post telling them that the photos were taken from the U.S.-Canadian border and this hack was not by a foreign country.
Although CBP did not confirm Perceptics was the subcontractor, the U.S. official said Perceptics was attempting to match license plates with faces inside of the car and reprogram its algorithm, which they were not cleared to do.
“Due to the industry that Perceptics is in and the customers they serve (U.S. government), it isn’t surprising that they were targeted,” Alex Heid, Chief Research & Development Officer at SecurityScorecard told The Daily Caller.
Hackers will normally research and target private companies that work with the government, Heid said. “SecurityScorecard’s platform examined Perceptics’ information and found that the company scored similar to those that are five times more likely to experience a breach incident.”
SecurityScorecard looked closely at “publicly available resources” that hackers could use against Perceptics and found “over 500 compromised email and password combinations from various breaches and credential stuffing ‘combo lists'” from the company on the dark web.
There email and password combinations “have been circulating for years” and came from “various circulated and publicized breaches.”
“Most of the larger circulating ‘combo lists’ that are used for credential stuffing attacks have Perceptics emails,” Heid stated.
CBP did not respond in time for publication answering if they knew about these compromised email and password combinations from Perceptics on the da
CBP has been in contact with Congress and some of the members have voiced their concerns about the amount of personal information the agency is collecting.
“Anyone whose information was compromised should be notified by Customs, and the government needs to explain exactly how it intends to prevent this kind of breach from happening in the future,” Democratic Oregon Sen. Ron Wyden said in a statement to The Post. “These vast troves of Americans’ personal information are a ripe target for attackers.”
This hack happened as CBP was planning to “expand its massive face recognition apparatus” and collect more information on individuals traveling along the border, Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union told The Post.
“This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices. The best way to avoid breaches of sensitive personal data is not to collect and retain it in the first place,” Guliani concluded. (RELATED: Congress Slips CLOUD Act Into Lengthy Omnibus Spending Bill, Granting Authorities Even More Surveillance Power)
Heid believes companies need to “employ a continuous monitoring solution to constantly examine their external attack surface from the viewpoint of an attacker.”
“[H]acker chatter resources will go a long way to mitigate being the ‘low hanging fruit’ of an attack,” Heid concluded.
CBP is working with other law enforcement agencies, cybersecurity firms, and the agency’s Office of Professional Responsibility to investigate and monitor any leaked information from the hack. They did not respond for comment in time for publication.
Editor’s note: This post has been updated with additional information from SecurityScore.