U.S. Customs Loses Facial Recognition Photos in Data Breach (Updated)
An unknown number of facial-recognition photos of travelers taken by U.S. Customs and Border Protection were compromised in a data breach.
UPDATED 9:55 a.m. Eastern time Tuesday (June 11) with additional information from The Register. This story was originally published June 10 at 5:20 p.m. Eastern time.
U.S. Customs and Border Protection, which screens arrivals from foreign cities at U.S. airports, has had an undisclosed number of facial-recognition photos compromised in a data breach. The story was first reported by The Washington Post.
The Post said today (June 10) the images were part of a pilot program that takes photographs of travelers both into and out of the country at certain airports. The images were "compromised as part of an attack on a federal subcontractor."
The data is said to include license-plate photos as well, which may indicate that the compromised data set may include data from land border crossings with Canada and Mexico.
"On May 31, 2019, CBP learned that a subcontractor, in violation of CBP policies and without CBP's authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor's company network,"a CBP spokesperson told Tom's Guide.
"The subcontractor's network was subsequently compromised by a malicious cyber-attack. No CBP systems were compromised."
The statement did not give any indication regarding the number of images compromised, or where and when the images might have been originally taken by CBP's subcontractor.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
"The statement is all we have at this time," a CBP spokesperson told Tom's Guide.
The Post noticed that The Register late last month noticed that data stolen from Perceptics, a company that makes license-plate readers used at points of entry along the U.S.-Mexican border, was being offered for sale in an underground forum. The Post said a Microsoft Word document it received with CBP's official public statement had "Perceptics" in its title.
However, the CBP statement provided to Tom's Guide said that "as of today, none of the image data has been identified on the Dark Web or internet."
Ironically, Washington Post technology columnist Geoffrey A. Fowler posted a piece this morning warning of the privacy dangers posed by CBP's airport facial-recognition program. Fowler tweeted that he would "now need to update" that column.
UPDATE: In an additional statement provided to Tom's Guide Monday evening, a CBP spokesperson said that "Initial reports indicate that the traveler images involved fewer than 100,000 people; photographs were taken of travelers in vehicles entering and exiting the United States through a few specific lanes at a single land border Port of Entry over a 1.5 month period. No other identifying information was included with the images."
"No passport or other travel document photographs were compromised and no images of airline passengers from the air entry/exit process were involved," the statement added. "No CBP networks or databases were breached as a result of the cyber-attack."
Citing an unnamed government official, The New York Times said the subcontractor whose network was breached was indeed Perceptics.
Citing its own government official, who requested anonymity, The Washington Post said that Perceptics was using the CBP license-plate and driver images "to refine its algorithms to match license plates with the faces of a car's occupants," which Perceptics was not authorized to do.
The Post's source said that data from travelers crossing the Canadian border was "also included." It was not immediately clear whether that implied the bulk of the images came from a port of entry along the Mexican border. The Post said Perceptics' own marketing materials claimed the company had installed license-plate readers at 43 vehicle lanes at checkpoints along the U.S.-Mexican border manned by CBP.
There are about 50 ports of entry along the U.S.-Mexican border, although several are pedestrian-only, and more than 100 along the far longer U.S.-Canadian border, including Alaska.
UPDATE: The Register took a second look at the data it had obtained in connection with its May story about an apparent data breach at Perceptics. It "uncovered at least 4,000 .JPG and .TIF images of, among other things, license plates, some identified and some not, belonging to vehicles passing through CBP's checkpoints including those in Santa Teresa and Columbus, New Mexico, on the southern border with Mexico, and the Hidalgo Port of Entry on the Texas-Mexico border."
The Register also noted that as of June 10, the hidden website offering the Perceptics data still listed the data as available for download.
Best Identity Protection Services
Best Overall
Get it. IdentityForce UltraSecure+Credit is the best overall service for both credit monitoring and identity protection. It also protects your account with two-factor authentication.
Best Data Monitoring
It's worth it. Get LifeLock Ultimate Plus if you're very worried about having your identity stolen and you also need antivirus software. But you can get better credit monitoring for less with IdentityForce UltraSecure+Credit.
Best Tools
Good, but not the best. Identity Guard isn't bad, but for about the same price, IdentityForce UltraSecure+Credit offers more comprehensive personal-data and credit-file monitoring.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.