According to a report from the Department of Homeland Security (DHS) Inspector General, poor security practices on behalf of U.S. Customs and Border Protection (CBP) were at fault for a subcontractor being in possession of nearly 200,000 facial images and 50,000 license plate numbers that were later stolen during a security breach.
The subcontractor in question, Perceptics, LLC, partnered with CBP for a 2019 facial recognition pilot project across multiple land border locations. At a test site in Anzalduas, Texas, Perceptics gained unauthorized access to the biometric data collected by CBP and transferred it via unencrypted USB drive to the company’s head office in Knoxville, Tennessee.
Of the approximately 184,000 images that were compromised, the DHS Inspector General says that at least 19 of them were posted to the dark web, along with roughly 50,000 American license plate numbers.
For its part, CBP claims that the actions of Perceptics and its employees were carried out without its knowledge or consent, and were in fact violations of existing security and privacy protocols. The Inspector General, however, concluded that the subcontractor should never have been able to gain access to the data, and that CBP “did not adequately safeguard” it, and that its security practices were “inadequate to prevent the subcontractor’s actions.”
CBP’s use of biometrics for border crossings has been growing steadily over the past several years, with its Global Entry program having been streamlined earlier this year to allow passengers that submit to facial scans to skip passport and fingerprint scans altogether.
The report also expressed concerns over the public’s already suspect faith in the government’s facial recognition endeavours, saying that “[t]his incident may damage the public’s trust in the Government’s ability to safeguard biometric data and may result in travelers’ reluctance to permit DHS to capture and use their biometrics at U.S. ports of entry.”
Both CBP and Perceptics did not respond to CNN — which reported on the initial data breach last year — when asked to comment on the findings of the DHS report.
September 24, 2020 – by Tony Bitzionis