[BreachExchange] US Customs and Border Protection reportedly suspends subcontractor over cyberattack

Destry Winant destry at riskbasedsecurity.com
Fri Jul 5 10:07:57 EDT 2019


https://www.cnet.com/news/us-customs-and-border-protection-reportedly-suspends-subcontractor-over-cyberattack/

The US Customs and Border Protection has reportedly suspended a
subcontractor following a "malicious cyberattack" in May that caused
it to lose photos of travelers into and out of the country.
Perceptics, which makes license plate scanners and other surveillance
equipment for CBP, has been suspended from contracting with the
federal government, The Washington Post reported Tuesday.

On June 12, CBP had confirmed that in violation of its policies, a
subcontractor had "transferred copies of license plate images and
traveler images collected by CBP to the subcontractor's company
network." The subcontractor's network was then compromised by a
cyberattack that affected under 100,000 people who entered and exited
the US in a vehicle through several specific lanes at one land border
during a 1.5-month period.

Federal records showed CBP officials citing "evidence of conduct
indicating a lack of business honesty or integrity," Washington Post
reported.

Passports and travel document photos weren't taken in the cyberattack,
but it was reported later in June that the hackers stole sensitive CBP
data from Perceptics, including government agency contracts, budget
spreadsheets and even Powerpoint presentations.

The agency has been expanding its use of a face-matching system called
Biometric Exit at departure gates in several airports across the
nation.

"This breach comes just as CBP seeks to expand its massive face
recognition apparatus and collection of sensitive information from
travelers, including license plate information and social media
identifiers," Neema Singh Guliani, American Civil Liberties Union
senior legislative counsel, said in a statement in June. "This
incident further underscores the need to put the brakes on these
efforts and for Congress to investigate the agency's data practices.

"The best way to avoid breaches of sensitive personal data is not to
collect and retain such data in the first place."

Sen. Rick Scott also demanded answers from Acting Homeland Security
Secretary Kevin McAleenan on what exactly happened.

"Americans deserve to know how their personal information is being
used, especially by their government," he wrote. "Anything other than
full transparency is unacceptable."

In a statement Tuesday night, Perceptics categorically denied "any
illegal or unethical behavior."

"Perceptics is proud to have partnered in support of US Customs and
Border Protection for more than 35 years, during which time we have an
unblemished record," the company said in an emailed statement. "We
have worked for these years to secure the border and facilitate
legitimate trade and travel. We remain committed to working
collaboratively with CBP to address any and all concerns.

"We stand ready to meet to discuss this with the government in any
setting, and to demonstrate our support of the CBP mission."

CBP didn't immediately respond to a request for comment.


More information about the BreachExchange mailing list