Lawmakers on Friday continued to press for answers about the breach of Customs and Border Protection (CBP) data reportedly stolen by hackers, an incident said to affect as many as 100,000 individuals who crossed the U.S. border over a month-and-a-half period.
Few details have been released by the agency overseen by the Department of Homeland Security. Its statement has not been updated since June 10, when it announced that a subcontractor had transferred copies of license plate images and traveler photos amassed by CBP. “The subcontractor’s network was subsequently compromised by a malicious cyber-attack,” it said. “No CBP systems were compromised.”
In a letter to the agency on Friday, Senator Ed Markey, top Democrat of a Senate subcommittee focused on security, wrote to CBP asking for new details about the weeks-old hack. “I have previously written to you with questions about the collection of biometric data,” he wrote. “Those questions were driven by my concerns about both government overreach into individuals’ zones of privacy and the possible targeting of that data by a variety of actors with bad intent. Both of those concerns are again implicated here.”
The questions, if anything, shed light on how little is known about the incident. Markey asks CBP, for example, to detail specifically how many images of travelers’ faces and licenses plates were stolen.
It remains unclear whether the photos reportedly stolen by a hacker are linked to other pieces of personally identifiable information; it’s unknown whether those images were obtained exclusively from biometric and license plate analysis tools, or whether there are a photocopies of personal documents and IDs; and no one has stated whether the data is behind held for ransom.
As of Monday, CBP stated that none of the information appeared to be up for sale on the internet. However, Motherboard was able to download from the dark net “thousands” of traveler and license plate photos stolen from Perceptics, the subcontractor from which the CBP data is believed to have been taken.
“CBP has alerted members of Congress and is working closely with other law enforcement agencies and cybersecurity entities, and its own Office of Professional Responsibility to actively investigate the incident,” it said.
“Will DHS commit to notifying every individual whose information was compromised as a result of this data breach?” Markey asked. “If not, why not?”
A CBP spokesperson said the agency had nothing further to add at this time.
In a statement to Gizmodo, Senator Ron Wyden added:
“If the government collects sensitive information about Americans, it is responsible for protecting it – and that’s just as true if it contracts with a private company. Anyone whose information was compromised should be notified by Customs, and the government needs to explain exactly how it intends to prevent this kind of breach from happening in the future. This incident should be a lesson to those who have supported expanding government surveillance powers—these vast troves of Americans’ personal information are a ripe target for attackers.”