US Border Agency Says Travellers’ Images Stolen By Hackers – Commentary

Reports have surfaced that U.S. Customs and Border Protection (CBP) officials have announced that photos of travelers have been compromised as part of a “malicious cyber-attack. Customs officials said in a statement yesterday that the images, which included photos of people’s license plates, had been compromised as part of an attack on a federal subcontractor. The agency maintains a database including passport and visa photos that is used at airports as part of an agency facial-recognition program. CBP declined to say what images were stolen or how many people were affected. 

Expert Comments:  

Tim Mackey, Principal Security Strategist at Synopsys CyRC (Cybersecurity Research Center):

“Any disclosure of traveler information is obviously concerning to anyone who has crossed the US border recently, but should be looked at through the lens of how the evolution of technology is occurring at our borders. With Trusted Traveler programs like Global Entry, Nexus and Mobile Passports becoming the norm for frequent travelers and with pilot programs using facial recognition systems occurring with some airlines, public confidence in the security of traveler data and cross border commerce is paramount. Due to the nature of the data involved in cross border activities, CBP and its sub-contractors are a prime target for malicious actors seeking to disrupt travel and trade between the US and its partners. In the case of this breach, CBP disclosed sensitive image data relating to border crossings was transferred from CBP to one of its sub-contractors contrary to CBP policies. From an IT governance perspective, this data transfer calls into question the level of authorisation required for data transfer between systems connected to a CBP network and serves as a lesson for everyone running an IT system with access to sensitive data. 

“While it may be tempting to critique CBP and its contractors, a far more productive approach would be to look at the level of controls within our respective enterprise networks. After all, if a data breach like this can occur within CBP then how easy would it be for someone to replicate the attack within an enterprise network? Enterprise IT leaders should look carefully at their threat models and determine if they have a sufficiently granular level of authentication and authorization controls for data access. In the process, a review of monitoring tools should be performed to identify any gaps in access logging which could cause unexpected data transfers to occur undetected. While reviewing the threat model and monitoring controls, it’s also an opportune time to review data collection and retention policies and feed this information back into the threat model to validate if its covering all current threats.” 

Dr Darren Williams, CEO and founder, BlackFog:

“Nobody is safe from cyberattack – not even US government agencies. With this latest data breach targeting travellers’ sensitive and personal information, it’s clear that organisations need to improve their cybersecurity practices. In particular, the risks that third-party subcontractors pose to cybersecurity practices are increasingly evident. The emphasis on protecting consumer data needs to not only be woven through an organisation’s culture, but also in all of its contractor relationships.   

“This means having honest conversations at the outset of procurement to conduct due diligence on a contractor’s cybersecurity protocols. Just as a business would credit check potential suppliers to ensure they have the necessary cashflow, organisations need to get suppliers to validate they have strong perimeter defence, data loss prevention measures, and preventative cybersecurity approaches in place, to avoid breaches like this from continuing to happen.”  

Sherrod DeGrippo, Senior Director of Threat Research and Detection:

“It is critical that organisations prioritize the security and access controls of their vendors, providers, and partners. These groups regularly handle sensitive data and must be examined by organisations thoroughly as they have the same culpability as the organisation itself. We recommend that organisations review subcontractors and other providers’ data security posture as if it were their own. Additionally, organisations can develop threat profiles that highlight areas of risk across verticals and implement a proactive people-centric security approach that mitigates each threat appropriately.”