Border Protection Loses Photos of Travelers in Data Hack

The U.S. Customs and Border Protection admits to losing some pictures of people going in and out of the U.S. Or rather, that its contractor—Perceptics LLC—lost them (which amounts to the same thing).

The agency, part of the Department of Homeland Security, calmly says there were no more than 100,000 photos. People who’ve seen the cache of stolen data on the dark web say there are “gigabytes” of it.

And obviously that’s nothing to worry about. This is fine.

But certain concerned citizens are certainly concerned. In today’s SB Blogwatch, we strike a pose.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Nan O’Bots.


Say Cheese, Please

What’s the craic? Drew Harwell, Geoffrey A. Fowler, Nick Miroff, Ellen Nakashima, and Tony Romm report under this confusing headline—“photos of travelers were taken”:

 [CBP] officials said Monday that photos of travelers had been compromised as part of a “malicious cyberattack,” raising concerns over how … expanding surveillance efforts could imperil Americans’ privacy. … The photographs were taken of people in vehicles entering and exiting the U.S. over a month and a half through a single land border entry port.

CBP said copies of “license plate images and traveler images” … had been transferred to the subcontractor’s company network, violating the agency’s … rules. The subcontractor’s network was then attacked and breached.

CBP would not say which subcontractor was involved. But a Microsoft Word document of CBP’s public statement … included the name “Perceptics” in the title.

Perceptics representatives did not immediately respond to requests for comment. CBP spokeswoman Jackie Wren said she was “unable to confirm” if Perceptics was the source of the breach.

One U.S. official … said it was being described inside CBP as a “major incident.” [They] said the data involved travelers crossing the Canadian border.

Anyone feeling a touch of déjà vu? Shaun Nichols crows, “That story we broke in May? It is still true – and perhaps even worse than first thought”:

 The CBP issued a statement outlining how it learned on May 31 that the unnamed contractor … copied license plate scans and traveler pictures to its own network, only to have … the data stolen. … The CBP went on to say it has removed all of the equipment used to gather the images … and will be “closely monitoring” the subcontractor for further screw-ups.

The presence of Perceptics in the Word doc title would reconfirm [our] report from May 23 that Perceptics … had been ransacked by hackers, who made off with and dumped on the dark web a snapshot of its entire IT estate. … That information dump, which encompassed hundreds of gigabytes of data, included internal emails and databases, documentation and client details, blueprints, backups, music, and more.

We found it on a hidden .onion website after a tipster alerted us to the leak. [But] the CBP’s carefully worded statement on Monday this week noted that “as of today, none of the image data has been identified on the dark web or internet.” … Make of that what you will. [It] is still alive and offering gigabytes of the subcontractor’s archives.

Oh, man. Charles C. Mann summarizes (slightly sarcastically):

 In a total surprise that absolutely nobody could have predicted, the federal gov’ts new facial-recognition database is breached, just months after deployment.

Why do I feel uncomfortable about my face being stored? Evan Greer sneers, “This is a bombshell”:

 Even if you 100% trust the US government with your biometric information (which you shouldn’t) this is a reminder that once your face is scanned and stored in a database, it’s easily shared across government agencies, stolen by hackers, other governments etc.

But why should I care? I’ve broken no laws. This Anonymous Coward answers the FAQ:

 No matter who you are, there’s ALWAYS a law you have broken. At least one.

All they need is seven lines, written by the hand of the finest man, to “find” something to hang him for. (With credits to Cardinal Richelieu of inquisition infamy.)

Algorithms do not care what you are. In fact it is more work to code in a switch to exempt you.

At which, Terry Clark furiously eyerolls:

 Your response displays your ignorance of threat awareness and the process needed … to protect us from criminal and terrorist networks.

Go back to your D&D game. Leave national security to the folks that know what they are doing.

But David Rigamonte takes an even-handed view—“You take the good, you take the bad”:

 The risks are obvious – it makes the “slippery slope” to a police state much more slippery.

One one extreme, don’t collect the data at all, which means face-less drivers licenses or at least no computer records of them. On the other extreme, have instant-access to all such photos by any police officer at any time.

The current situation is somewhere in the middle. Another “in the middle” approach would be to store most data offline and compartmentalize access to it, so that even with a “need to know” it would take hours to process the paperwork needed to search even a small subset of the data, say, all records of people in in a given county … against a given face, and days or weeks and significant expense … to search the entire country.

And MachDiamond asks if you’re “Feeling safer yet?”:

 The theatre of security goes on as data that’s being collected without notice or being required goes missing.

I’m surprised this leak wasn’t from the time honored tradition of the laptop being stolen from a car while the person popped into their church for 10 minutes on the way home. Said employee planning on doing some work from home with no adequate reason given for them to be removing sensitive data from their workplace.

Meanwhile, Andy Kron enquires, “Why ****ing bother?”:

 The United States of China. Get ready for it.

And Finally:

Nanobot


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Bobby Hidy (cc:by-sa)

Featured eBook
Speed and Scale: How Machine Identity Protection is Crucial for Digital Transformation and DevOps

Speed and Scale: How Machine Identity Protection is Crucial for Digital Transformation and DevOps

Digital transformation requires new approaches to security, demanding the protection of machine identities that enable authentication and encryption required for secure machine-to-machine communication. Solving machine identity protection challenges within DevOps environments, requires a fundamentally new approach. Information Security teams must deliver a frictionless, automated solution that allows DevOps engineers to seamlessly provision and manage certificates ... Read More
Venafi

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and CIO.com. His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 70 posts and counting.See all posts by richi