Customs and Border Protection “did not adequately safeguard” sensitive data during its facial recognition technology pilot last year, according to a new government watchdog report.
The data breach, which CBP announced in 2019, compromised approximately 184,000 traveler images from CBP’s facial recognition pilot, according to the Department of Homeland Security Inspector General, and at least 19 of the images were posted to the dark web.
“This incident may damage the public’s trust in the Government’s ability to safeguard biometric data and may result in travelers’ reluctance to permit DHS to capture and use their biometrics at U.S. ports of entry,” the inspector general wrote.
CNN reported on the data breach involving a subcontractor, Perceptics, LLC, in June 2019.
A CNN analysis last year also found that at least 50,000 American license plate numbers were made available on the dark web after Perceptics, which was hired by CBP, was at the center of a major data breach. The company was never authorized to keep the information, the agency told CNN at the time.
According to the inspector general, during the pilot program, Perceptics transferred copies of CBP’s biometric data, such as traveler images, to its own company network between August 2018 and January 2019.
The company’s network was later “subjected to a malicious cyber attack.” Perceptics staff violated security and privacy protocols when they downloaded the sensitive information onto their own network, according to the report. This occurred without CBP’s knowledge.
However, the watchdog concluded that CBP’s information security practices during the pilot were “inadequate to prevent the subcontractor’s actions.”
CNN has reached out to CBP and Perceptics for a response to the watchdog review.
CBP is mandated to use biometrics for arrivals and departures to and from the United States, but that system has been slow to be put in place. The agency has focused on implementing biometric screening for airport departures, but it is currently expanding its facial recognition technology for people departing the US at land borders.
It was the land border expansion that was at the center of the breach.
Perceptics gained “unauthorized access” to CBP’s data through a computer system connected to cameras at the test site in Anzalduas, Texas, according to the inspector general review. The data included images of drivers and passengers in their vehicles. The company downloaded approximately 184,000 traveler images “using an unencrypted USB hard drive that was eventually transported to their corporate office in Knoxville, Tennessee,” the review says.
“At some point prior to May 13, 2019,” the review states, there was a ransomware attack on the company’s corporate network. After the attack, CBP determined 105,000 license plate images were also stored on the company’s network from previous work with the agency.
In June of last year, CBP temporarily suspended Perceptics from future government contracts, but the suspension was lifted in September 2019. The company is now potentially eligible to be a contractor for CBP again.
This story has been updated with additional developments and background.