License plate images and photos of individuals who traveled in and out of the United States were taken in a malicious hack impacting U.S. Customs and Border Protection (CBP), according to a report in the Washington Post. The agency learned last month about the breach, which took place thanks to a hack of an unnamed subcontractor.
CBP, which blamed the subcontractor for failing to follow security and privacy rules by transferring the agency’s photos to its own network, operates a database of visa and passport photos as part of a face recognition system and database used widely at American airports despite criticism for privacy and accuracy failures. The agency processes over 1 million travelers per day and is building up to use the face recognition system in at least 20 airports thanks to a Trump executive order.
The exact nature of the stolen data, its connection to the face recognition system, and the scale of the breach remains unclear. CBP did not respond to questions on the subject. DHS did not identify which subcontractor was hacked.
Last month, Perceptics, a company that builds and sells license place readers, was hacked. The data was stolen and made for sale almost immediately. It is not currently known whether this hack is separate from the breach CBP announced today.
On Monday, the Washington Post reported that “a Microsoft Word document of CBP’s public statement, sent Monday to Washington Post reporters, includes the name ‘Perceptics’ in the title.”
Perceptics did not immediately respond to a request for comment.
Face recognition has become the focal point of a fiery national debate over privacy and security. San Francisco recently banned the technology’s use by government agencies, and other jurisdictions are considering similar legislation. In an instance of incredible timing, NYPD Commissioner James O’Neill wrote an op-ed in the New York Times just last week about how face recognition “makes you safer.”
“CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” according to an agency statement according to TechCrunch. “Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract.”
Here’s the full statement from CBP:
This post will be updated as more information becomes available.