Written by Sean Lyngaas
U.S. Customs and Border Protection said Monday that one of its subcontractors had been breached in a “malicious cyberattack,” compromising an unspecified number of images of travelers and license plates.
The hackers struck after the unnamed subcontractor transferred copies of the images collected by CBP to the subcontractor’s network, the Department of Homeland Security agency said in a statement.
“Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract,” a CBP spokesperson said, adding that the breached data had yet to show up on the dark web or public internet.
CBP, which learned about the hack on May 31, has told Members of Congress about the breach and is working with law enforcement agencies and “cybersecurity entities” to investigate, the spokesperson said.
While CBP did not identify the hacked subcontractor, the statement it emailed to The Washington Post included “Perceptics” in the title. Tennessee-based Perceptics, which provides license-plate-scanning services for CBP, was the victim of a hack and had its data posted to the dark web, The Register reported last month. It is unclear if that is the same breach announced by CBP on Monday.
Perceptics could not be immediately reached for comment.
As U.S. officials have employed a range of technologies to track people attempting to cross the U.S.-Mexico border, concerns around the privacy and security of the data collected have grown. A report last year from DHS’s inspector general found that IT systems used by the CBP to share data gathered by drones are “at increased risk of compromise by trusted insiders and external sources” because of security shortcomings.
Sen. Ron Wyden, D-Ore., called on the CBP to notify anyone whose information was compromised in the breach, and said the government “needs to explain exactly how it intends to prevent this kind of breach from happening in the future.”
“If the government collects sensitive information about Americans, it is responsible for protecting it – and that’s just as true if it contracts with a private company,” Wyden said.