The Department of Homeland Security (DHS) finally acknowledged Wednesday that photos that were part of a facial recognition pilot program were hacked from a Customs and Border Control subcontractor and were leaked on the dark web last year.
Among the data, which was collected by a company called Perceptics, was a trove of traveller’s faces, license plates, and care information. The information made its way to the Dark Web, despite DHS claiming it hadn’t. In a newly released report about the incident, the DHS Office of Inspector General admitted that 184,000 images were stolen and at least 19 of them were posted to the Dark Web.
“CBP did not adequately safeguard sensitive data on an unencrypted device used during its facial recognition technology pilot,” the report found. “This incident may damage the public’s trust in the Government’s ability to safeguard biometric data and may result in travellers’ reluctance to permit DHS to capture and use their biometrics at U.S. ports of entry.”
CBP uses a lot of technology to identify and track people crossing America’s borders. Cameras capture every car and face that moves across the wall, and computers collect that data and process it, looking for alleged criminals and terrorists. According to the new report, DHS’s biometric database “contains the biometric data repository of more than 250 million people and can process more than 300,000 biometric transactions per day. It is the largest biometric repository in the Federal Government, and DHS shares this repository with the Department of Justice and the Department of Defense.”
A biometric scanning project of this size costs a lot of money and requires a complex network of contractors and subcontractors. One of those contractors was Perceptics, a company that processes images of faces and cars captured at toll booths, highway cameras, and border crossings. According to the DHS report, Perceptics is at fault for people’s faces and license plates ending up on the Dark Web.
“A subcontractor working on this effort, Perceptics, LLC, transferred copies of CBP’s biometric data, such as traveller images, to its company network,” the report found.
DHS report claimed that Perceptics accessed this data without its knowledge and “later in 2019, DHS experienced a major privacy incident, as the subcontractor’s network was subjected to a malicious cyber-attack” by a hacker known as Boris Bullet-Dodger. At the time, DHS denied to Motherboard and others that people’s faces and license plates had ended up on the Dark Web.
But they had. According to the report, a Perceptics employee gained access to a CBP site in Anzalduas, TX, by submitting IT tickets requesting CBP let them in to perform maintenance on cameras. The breach happened sometime between August 2018 and January 2019. Once inside, the Perceptics employee hooked an external hard drive up to CBP computers and downloaded the images and then uploaded them to a Perceptics server.
In May 2019, Perceptics got a ransom note from Boris Bullet Dodger. “Perceptics received a ransom note via an email from a hacker by the name of ‘Boris Bullet Dodger’ demanding 20 bitcoin within 72 hours,” the report said. “The ransom note stated that, without the bitcoin, stolen data would be uploaded to the dark web. Perceptics did not pay the ransom, and the hacker uploaded more than 9,000 individual files to the dark web.”
After it learned of the hack, CBP pulled Perceptics credentials and banned it from working with the DHS ever again. “However, the suspension was lifted on September 26, 2019, leaving Perceptics eligible to participate as a contractor in Federal procurement processes,” the report said. “As a part of lifting the suspension, CBP and Perceptics agreed to correct the risks identified in CBP’s investigation of the data breach.”
The DHS OIG made several recommendations in its report that all boil down to “tighten up security and make sure this doesn’t happen again.” But the underlying issue will remain no matter how good IT security is—as long as Border Patrol is taking pictures of everyone crossing the border and storing them on machines, those machines will be vulnerable. The only way to make sure this never happens again is not to collect and store the data at all.