U.S. Customs Loses Facial Recognition Photos in Data Breach (Updated)

UPDATED 9:55 a.m. Eastern time Tuesday (June 11) with additional information from The Register. This story was originally published June 10 at 5:20 p.m. Eastern time.

U.S. Customs and Border Protection, which screens arrivals from foreign cities at U.S. airports, has had an undisclosed number of facial-recognition photos compromised in a data breach. The story was first reported by The Washington Post.

Participants in the Global Entry program use U.S. Customs kiosks at an airport. Credit: U.S. Customs and Border Protection

(Image credit: Participants in the Global Entry program use U.S. Customs kiosks at an airport. Credit: U.S. Customs and Border Protection)

The Post said today (June 10) the images were part of a pilot program that takes photographs of travelers both into and out of the country at certain airports. The images were "compromised as part of an attack on a federal subcontractor."

The data is said to include license-plate photos as well, which may indicate that the compromised data set may include data from land border crossings with Canada and Mexico.

"On May 31, 2019, CBP learned that a subcontractor, in violation of CBP policies and without CBP's authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor's company network,"a CBP spokesperson told Tom's Guide.

"The subcontractor's network was subsequently compromised by a malicious cyber-attack. No CBP systems were compromised."

The statement did not give any indication regarding the number of images compromised, or where and when the images might have been originally taken by CBP's subcontractor.

"The statement is all we have at this time," a CBP spokesperson told Tom's Guide.

The Post noticed that The Register late last month noticed that data stolen from Perceptics, a company that makes license-plate readers used at points of entry along the U.S.-Mexican border, was being offered for sale in an underground forum. The Post said a Microsoft Word document it received with CBP's official public statement had "Perceptics" in its title.

However, the CBP statement provided to Tom's Guide said that "as of today, none of the image data has been identified on the Dark Web or internet."

Ironically, Washington Post technology columnist Geoffrey A. Fowler posted a piece this morning warning of the privacy dangers posed by CBP's airport facial-recognition program. Fowler tweeted that he would "now need to update" that column.

UPDATE: In an additional statement provided to Tom's Guide Monday evening, a CBP spokesperson said that "Initial reports indicate that the traveler images involved fewer than 100,000 people; photographs were taken of travelers in vehicles entering and exiting the United States through a few specific lanes at a single land border Port of Entry over a 1.5 month period. No other identifying information was included with the images."

"No passport or other travel document photographs were compromised and no images of airline passengers from the air entry/exit process were involved," the statement added. "No CBP networks or databases were breached as a result of the cyber-attack."

Citing an unnamed government official, The New York Times said the subcontractor whose network was breached was indeed Perceptics.

Citing its own government official, who requested anonymity, The Washington Post said that Perceptics was using the CBP license-plate and driver images "to refine its algorithms to match license plates with the faces of a car's occupants," which Perceptics was not authorized to do.

The Post's source said that data from travelers crossing the Canadian border was "also included." It was not immediately clear whether that implied the bulk of the images came from a port of entry along the Mexican border. The Post said Perceptics' own marketing materials claimed the company had installed license-plate readers at 43 vehicle lanes at checkpoints along the U.S.-Mexican border manned by CBP.

There are about 50 ports of entry along the U.S.-Mexican border, although several are pedestrian-only, and more than 100 along the far longer U.S.-Canadian border, including Alaska.

UPDATE: The Register took a second look at the data it had obtained in connection with its May story about an apparent data breach at Perceptics. It "uncovered at least 4,000 .JPG and .TIF images of, among other things, license plates, some identified and some not, belonging to vehicles passing through CBP's checkpoints including those in Santa Teresa and Columbus, New Mexico, on the southern border with Mexico, and the Hidalgo Port of Entry on the Texas-Mexico border."

The Register also noted that as of June 10, the hidden website offering the Perceptics data still listed the data as available for download.

Best Identity Protection Services

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.