In recent years, there has been a strong push by the United States Customs and Border Protection Agency (CBP) for the use of facial recognition technology to monitor people entering and exiting the US. In fact, CBP has been pushing to deploy this facial recognition technology for 97% of passengers leaving the US via air by 2021.
This collection of biometric data has received a lot of opposition, mainly due to privacy concerns. In fact, San Francisco has banned the use of facial recognition technology by its city agencies. This is designed to protect citizens from misuse of their personal data.
Despite the blowback from privacy advocates, CBP has begun deploying facial recognition technology at some US border crossings. However, they have demonstrated their inability to implement appropriate data protection strategies for this data. In May 2019, CBP discovered a breach of some of the images taken by one of their border crossing stations.
The CBP Photo Breach
The CBP has begun limited deployment of facial recognition technology at various air and land border crossings. One of the locations where this technology is deployed is a land crossing at the US/Canada border. On May 31, 2019 CBP discovered a data breach of images collected at this crossing. The breached data included one and a half months’ worth of images. These pictures included the faces of passengers in the vehicle and the license plates of the vehicle. In total, about 100,000 people were affected by the data breach.
The breach was caused by the hack of the computer systems of a CBP subcontractor. This subcontractor moved the data from CBP systems to their own without authorization and was later breached (CBP systems remained unaffected). CBP did not officially name the subcontractor at fault for the breach, but it is believed that Perceptics is at fault. According to the CBP, the breached data is not available on the Dark Web. However, research by the news site The Register has determined that the data is definitely available there to hackers.
Privacy Impacts of the Breach
The data leaked during this breach is not of types usually considered to be “high impact”. The breached data only included facial images of passengers in the vehicles crossing the border and the car license plates. No passport, driver’s license, or other sensitive information was included in the breached dataset.
However, the breached data does have some privacy impacts. Those with access to the breached dataset have the ability to mine it for useful information. The leaked data can be used to match license information to faces, track peoples’ travel to and from Canada, and potentially gather data about relationships between people within the vehicle.
Beyond the breach itself, the circumstances of the breach demonstrate the danger of collecting such sensitive information and not implementing appropriate security protections for it. The CBP subcontractor who was responsible for the breach illegally removed the data from CBP systems to their own systems.
No protections were in place to prevent this or the subsequent misuse of the data. And it is believed that the data was misused by the subcontractors after its relocation to their systems. The data was likely used to improve algorithms designed to match license plate numbers to the faces of the occupants of the vehicle. This is outside the use of the data sanctioned by CBP. As a result, the biometric data collected by CBP was being used illegally after being stolen by a CBP subcontractor.
The Importance of Supply Chain Security
The issues around the use of the data by the CBP subcontractor demonstrate the importance of developing and implementing a strong supply chain security solution. CBP had collected sensitive data and granted limited use of this data to their subcontractors; however, no safeguards were put into place to ensure that the subcontractor abided by the terms of their contract.
The first unauthorized action taken by the CBP subcontractor was the exfiltration of the collected data to the subcontractor’s network. A variety of different solutions could have been implemented to prevent this. A data security solution could have detected and prevented the unauthorized removal of the data from CBP systems. A user behavior analytics system could have detected the unusual behavior of the subcontractor and alerted CBP’s security team to take action. Since neither of these protections were in place, the subcontractor was able to take and misuse the data entrusted to their care and exposed it to the theft of the data.
This data breach underscores the importance of a strong supply chain security solution. While CBP’s contract with their subcontractor likely forbade them from taking these actions, that didn’t prevent them from doing so. Implementing security protections to protect against these types of incidents
Aftereffects of the CBP Breach
The CBP has recently been pushing to use facial recognition technology to track people crossing the US border. Such systems have been deployed to a limited extent at some US border crossings. However, CBP discovered in late May 2019 that one of their subcontractors had made an unauthorized copy of some of the collected data on their own network, exposing it to hackers. The incident demonstrated the importance of properly securing this type of sensitive personal data and underscored the importance of implementing appropriate data security defenses to protect against potential attacks targeting an organization’s supply chain.