The US Customs and Border Patrol today said hackers broke into one of its bungling technology subcontractors – and made off with images of people and their vehicle license plates as they passed through America's land border.
The CBP issued a statement outlining how it learned on May 31 that the unnamed contractor, against Uncle Sam's privacy rules and security measures, copied license plate scans and traveler pictures to its own network, only to have that network invaded by hackers and the data stolen.
In an email to The Register, a spokesperson for the border cops said:
On May 31, 2019, CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network. The subcontractor’s network was subsequently compromised by a malicious cyber-attack. No CBP systems were compromised.
Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract. As of today, none of the image data has been identified on the Dark Web or internet. CBP has alerted Members of Congress and is working closely with other law enforcement agencies and cybersecurity entities, and its own Office of Professional Responsibility to actively investigate the incident. CBP will unwaveringly work with all partners to determine the extent of the breach and the appropriate response.
The CBP went on to say it has removed all of the equipment used to gather the images involved in the leak, and will be "closely monitoring" the subcontractor for further screw-ups:
CBP has removed from service all equipment related to the breach and is closely monitoring all CBP work by the subcontractor. CBP requires that all contractors and service providers maintain appropriate data integrity and cybersecurity controls and follow all incident response notification and remediation procedures. CBP takes its privacy and cybersecurity responsibilities very seriously and demands all contractors to do the same.
While a CBP spokesperson declined to name the subcontractor at the heart of the kerfuffle, the Washington Post was first to receive the above statement – as a Microsoft Word document that had the name "Perceptics" in the file title. (Our copy arrived as a plain-text email body.)
The presence of Perceptics in the Word doc title would reconfirm the exclusive Register report from May 23 that Perceptics, a maker of license-plate reader hardware and software extensively used at the US government's borders and checkpoints, had been ransacked by hackers, who made off with and dumped on the dark web a snapshot of its entire IT estate. Perceptics touts systems that can recognize drivers and their cars from camera footage, allowing officials to verify travelers.
That information dump, which encompassed hundreds of gigabytes of data, included internal emails and databases, documentation and client details, blueprints, backups, music, and more.
A further review of those files today uncovered references to at least 4,000 .JPG and .TIF images of, among other things, license plates, some identified and some not, belonging to vehicles passing through CBP's checkpoints including those in Santa Teresa and Columbus, New Mexico, on the southern border with Mexico, and the Hidalgo Port of Entry on the Texas-Mexico border.
Maker of US border's license-plate scanning tech ransacked by hacker, blueprints and files dumped onlineREAD MORE
It appears the images were likely collected for troubleshooting or further development of the technology, rather than harvested en masse. There may be more images within the stolen data trove, of course. There are references to pictures taken in Alaska and San Diego, as well as sensor logs and error reports, for instance.
It is understood fewer than 100,000 people have had their pictures or information leak via the subcontractor.
While El Reg last month reported the data was being offered on the Tor network for anyone to download if they could find it – and indeed, we found it on a hidden .onion website after a tipster alerted us to the leak – the CBP's carefully worded statement on Monday this week noted that "as of today, none of the image data has been identified on the dark web or internet."
As of today? Make of that what you will. The .onion website hosting Perceptics's data is still alive and offering gigabytes of the subcontractor's archives via an rsync server, though we have not confirmed whether this download service is today working as advertised.
Should Perceptics indeed prove to have been the subcontractor, which seems rather likely, and if the dates provided are correct, that would mean the CBP learned of the security snafu some eight days after we contacted Perceptics on May 23 to warn it of the intrusion – a cyber-break-in Perceptics at the time acknowledged had happened but wouldn't go into further details – and then went public a week later.
A CBP spokesperson declined to confirm or deny Perceptics was the pwned subcontractor. A spokesperson for Perceptics, a former subsidiary of Northrop Grumman with customers around the world as well as various US states, could not be reached for immediate comment. ®