Inspector General's Report Confirms CBP Contractor Was Hacked, Resulting In Sensitive Info Making Its Way To The Dark Web
from the collect-it-all,-protect-it-barely dept
Last year, a CBP vendor suffered a data breach affecting more than 100,000 people who had crossed the border at checkpoints. The CBP refused to name the contractor involved in the breach, but internal documents indicated it was Perceptics. Perceptics provided and maintained the system that photographed cars and their occupants as they crossed the border.
The vendor’s involvement in the breach has now been publicly confirmed, thanks to an Inspector General’s investigation of the incident. Sensitive information that was never supposed to be located on Perceptics’ servers was obtained by hackers and (partially) distributed on the dark web. [h/t Motherboard]
The report [PDF] lists the extent of the damage, which was fairly minimal given what was involved.
The subcontractor’s network was later the subject of a malicious cyber attack that compromised approximately 184,000 traveler images from CBP’s facial recognition pilot. After removing duplicate images, CBP reduced its estimate to 100,000 individual images, of which they discovered 19 were posted to the Dark Web.
From which the IG draws this inevitable conclusion:
This incident may ultimately result in damage to the public’s trust in Government biometric programs.
Yes, whatever trust there is that hasn’t been damaged yet, I guess.
Perceptics was authorized to be on-site to perform maintenance work. It was never authorized to transfer any photos to its own servers. But it did. And it did this in the worst way possible.
According to documentation from Unisys and CBP, Perceptics subsequently admitted to Unisys that it had downloaded approximately 184,000 traveler images from the equipment in conjunction with the work order tickets. Perceptics personnel accomplished this using an unencrypted USB hard drive that was eventually transported back to their corporate office in Knoxville, Tennessee. From there, subcontractor personnel uploaded CBP’s images to a Perceptics server.
This unauthorized data exfiltration led directly to another unauthorized data exfiltration.
Perceptics’ corporate network was subjected to a ransomware attack at some point prior to May 13, 2019. The attack compromised thousands of driver and passenger images that CBP captured during the VFS pilot. CBP determined that more than 184,000 traveler facial image files, as well as 105,000 license plate images from prior pilot work, were stored on the subcontractor’s network at the time of the ransomware attack. In addition, the hacker stole an array of contractual documents, program management documents, emails, system configurations, schematics, and implementation documentation related to CBP license plate reader programs.
Perceptics refused to pay the ransom and the hacker (d/b/a “Boris Bullet Dodger”) released “9,000 unique files” on the dark web.
The Inspector General says Perceptics should never have taken files offsite. But it’s not the only party to blame. CBP should have made this far more difficult to achieve.
Perceptics was able to make unauthorized use of CBP’s biometric data, in part because CBP did not implement all available IT security controls, including an acknowledged best practice. Additional IT security controls in place during the pilot could have prevented Perceptics from violating contract clauses and using an unencrypted hard drive to access and download biometric images at the pilot site.
The rest of the report is the CBP promising to secure barn doors as per the IG’s recommendations. Certainly this will have some effect going forward. But the fact remains the CBP collects a lot of personal information that can be tied to border crossers’ vehicles. All of this in one place continues to make the CBP — and most government agencies — tempting targets for malicious hackers.
Filed Under: border crossing, cbp, dark web, facial recognition, hacked, inspector general, leaked, security
Companies: perceptics, unisys
Comments on “Inspector General's Report Confirms CBP Contractor Was Hacked, Resulting In Sensitive Info Making Its Way To The Dark Web”
Gee its almost like they think you can just hand out credit monitoring and that makes everything better.
Meanwhile all the O2 is being sucked out of the room by ZOMG 230 screaming while after to many hacks to count, to many contractors violating the law, they still haven’t demanded tighter security with actual punishments & protections. But if we pay a few billion more for shitty planes we won’t ever actually use we’ll be safe again.
Something something Trump of all people should know how easy it is to leverage people when they have nothing & someone has dirt on them.
DOJ rightly focused on important things
So glad the DOJ is focused on what is truly important, encryption.
Low-Hanging Fruit
CPB Fails
Perceptics Fails
All a hacker needs is the understanding that in many circumstances these are usual levels of laziness, incompetence, and dishonesty. Pick a third-rate government agency with no specialization in IT security and hack their brand-X, private sector consultants…harvest time!
Re: Low-Hanging Fruit
Even lower:
Don’t be doing this recording and storing of everything in the first place.
Stop contracting out anything, really.
And here I was worried for a second...
And of course this is the same government that is trying to undermine security for everyone by mandating broken encryption because they’re too lazy and/or corrupt to do their damn jobs.
Interesting language
Perceptics "violat[ed] contract clauses"
The hacker "stole"
of course in reality they both did the same thing – copied data that they weren’t allowed to.
Re: Interesting language
Exactly this. CBP is pretty much doing it also when creating and storing data from meatspace.
shy asian brides
Who reports the official united states unemployment rate
Illustrative photography (original: VNA) Hanoi (VNA) Despite adverse is affecting of COVID 19 pandemic, Social welfare has still been ensured, The macro economy stabilised and inflation effectively reigned in, in order to Director General of the General Statistics Office (GSO) Nguyen Thi Huong. Addressing a press briefing on the socio economy in the first nine months of 2021 on September 29, The GSO official attributed the results to the active engagement of the whole political system as well as the timely and drastic directions from the government and the Prime Minister, And <a href=https://www.love-sites.com/10-simple-rules-of-dating-shy-asian-brides/>Asian brides</a> joint efforts of all areas, locations, Businesses and people in america. Social welfare ensured Huong said that as of september 21, basically 13.8 trillion VND (605.99 million usd) Worth of support had been ship to nearly 17.6 million pandemic hit of us, that 11.4 trillion VND was spent on 23 provinces and cities heavily plagued by the pandemic. scenario, 136,349 <find>out more.] About Macro economic stability, Social contentment ensured despite COVID 19: GSO leaderVit Nam refutes ‘false’ claim on militia implementation in East SeaLk Lake, A peaceful spot in the Central Highlands16,715 new COVID 19 cases reported on ThursdayMasan Group Top ASEAN consumer pick according to Bank of America16,715 new cases publicised on January 20Vit Nam, Hungary foster parliamentary cooperationApple discontinues full size HomePod, to pay attention to HomePod miniiPhone demand weakness just ‘noise,’ outlook is still strong, Analyst saysAd duplicated HBO Max option coming in JuneApple Watch SE returns to $259, Cellular $309 in today’s Amazon dealsDaVinci Resolve and Fusion now basically support M1 Macs.
[—-]