The US Customs and Border Protection (CBP) has announced that photos taken of travellers entering the United States and their license plates have been compromised in a data breach.
The images were compromised through a third-party subcontractor, which had “violated mandatory security and privacy protocols” by transferring the images onto their own system, which was subsequently targeted by a cyberattack.
Congress has been notified of the breach, which was first detected on 31 May, and the CBP is working with law enforcement and cybersecurity experts to determine the extent of the breach.
The breach is believed to involve fewer than 100,000 people who entered the US in a vehicle via a single land border port over a six-week period. No other identifying information, such as password information, is thought to have been compromised.
Despite speculation that this may be linked to a haul of data belonging to vehicle identification firm Perceptics that appeared on the dark web last month, CBP said that it has not identified any of the compromised data available on the dark web or online, according to the Washington Post.
Organisations must monitor subcontractor cybersecurity
The US Customs and Border Protection breach highlights the glaring vulnerability presented by third-party contractors, and the need to monitor access to and the handling of critical company data.
“It is critical that organisations prioritise the security and access controls of their vendors, providers, and partners,” Sherrod DeGrippo, Senior Director of Threat Research and Detection at Proofpoint, told Verdict. “We recommend that organisations review subcontractors and other provers’ data security posture as if it were their own.”
Darren Williams, CEO of BlackFog, believes that organisations must start checking a potential partner’s cybersecurity practices before they begin working with them, much like they would check the organisation’s cashflow:
“Organisations need to get suppliers to validate they have strong perimeter defence, data loss prevention measures, and preventative cybersecurity approaches in places, to avoid breaches like this from continuing to happen.”
However, rather than pointing the figure at the CBP or its contractors, businesses should use this as an opportunity to consider their own data access monitoring and controls to ensure that they aren’t next to be targeted, according to Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Center.
“After all, if a data breach like this can occur within CBP, then how easy would it be for someone to replicate the attack within an enterprise network?”
In order to stay protected, enterprise IT leaders need to ensure they have “a sufficiently granular level of authentication and authorisation controls for data access”, Mackey said. Likewise, businesses should also review the monitoring tools they have in place and identify whether it is possible for data transfers to occur undetected, as well as their data collection and retention policies to ensure only necessary information is being collected and stored.
CBP breach shows facial recognition technology’s bad side
The breach comes as the CBP considers expanding its use of facial recognition technology at airports. The agency plans to install “biometric entry-exit systems” at the top 20 US airports by 2021, which will scan all international passengers entering and exiting the US.
Facial recognition technology has already received an abundance of criticism, and Paul Bischoff, privacy advocate for Comparitech, believes that the Customs and Border Protection breach shows why people are right to be concerned.
“The breach of the CBP’s photo database shows just how easily facial recognition technology can get out of hand when mistakes are made,” Bischoff told Verdict. “When the government takes and stores photos of people not suspected of any wrongdoing without their consent, and then loses those photos to criminals or nation-state actors, it has ramifications for all of us.”
A photograph may not sound like a significant piece of data to have stolen, but according to Bischoff, advancements in facial recognition means that even seemingly insignificant data can present opportunities for malicious actors to exploit when combined with other data.
Given the US State Department’s plans to request social media accounts, email addresses and phone numbers used by new visitors to the US in the past five years, there is a cause for concern.
“Through a combination of search algorithms and facial recognition, we are getting to a point where we can instantly identify many people with nothing but a photograph. When those photographs are combined with other information, such as a license plate number, it enables harassment, stalking, intimidation, and other crimes,” Bischoff said.