Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/11/2019
07:20 PM
100%
0%

Suppliers Spotlighted After Breach of Border Agency Subcontractor

Attackers increasingly use third-party service providers to bypass organizations' security. The theft of images from US Customs and Border Protection underscores the weakness suppliers can create.

US Customs and Border Protection (CBP) officials announced on Tuesday that an initial investigation into the breach of a subcontractor that maintains databases of photos indicated the leak involved images of fewer than 100,000 people. 

The announcement is the first assessment of the impact of the breach, disclosed by the border security agency on June 10. The incident involved a CBP contractor, which had — in violation of CBP policies — copied sensitive files of border crossings and stored images of license plates and travelers on an insecure computer. The agency stressed that its computer systems and infrastructure were not involved in the attack.

"Photographs were taken of travelers in vehicles entering and exiting the United States through a few specific lanes at a single land border Port of Entry over a 1.5 month period," CBP said in a statement. "No other identifying information was included with the images."

The breach is yet another incident reminding companies and government organizations to regularly assess the security of their suppliers. Earlier this month, LabCorp and Quest Diagnostics were notified by AMCA, their supplier of debt collection services, that information on nearly 20 million of their customers had been potentially compromised by attackers. And in April, Mexican media firm Cultura Colectiva inadvertently leaked 540 million records from Facebook users because it did not protect the Amazon S3 container on which it stored the data.

"It is critical that organizations prioritize the security and access controls of their vendors, providers, and partners," said Sherrod DeGrippo, senior director of threat research and detection at data security firm Proofpoint. "These groups regularly handle sensitive data and must be examined by organizations thoroughly as they have the same culpability as the organization itself."

DeGrippo recommends that subcontractors' security posture be regularly reviewed and threat profiles created to establish needed defenses.

CBP did not name the latest subcontractor. Yet earlier in May, an attacker breached the network of government contractor Percepsys, a maker of license plate scanning and recognition systems, posting more than 65,000 files online, according to a May 23 article in The Regster.

In its statement, however, CBP stressed it has not see any malicious use of the data to date. "As of today, none of the image data has been identified on the Dark Web or Internet," the agency's spokesperson said in a statement.

The breach notification comes at a time when the CBP is expanding its technologies used to track travelers, including facial recognition, license plate identification, and social media tracking. Pointing to the current breach, the American Civil Liberties Union (ACLU) called the plans dangerous because government agencies and their contractors cannot keep such information safe.

"This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices," said Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union, in statement. "The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place."

In 2015, the Office of Personnel Management discovered that the records of 25.7 million people had been stolen through a series of network intrusions, including into the systems of contractors.

In both breaches, because a government agency isinvolved and it is difficult to prove that the breaches caused harm, there will be little that consumers or citizens can do, said Robert Cattanach, a partner at the international law firm Dorsey & Whitney. 

"US Courts have been reluctant to award damages absent a showing of specific and concrete harm," he said in a statement. 

Governments are finding it difficult to create policy to deal with the rapid advancement of technology.

"Rapidly evolving technology that collects vast amounts of individual data, coupled with the dramatic cultural differences between various countries that collect it, make this an even more challenging problem for individuals and their political systems to reconcile," he said.

CBP is currently scrutinizing its subcontractor's investigation into the breach, the agency said.

"CBP has removed from service all equipment related to the breach and is closely monitoring all CBP work by the subcontractor," it said. "CBP requires that all contractors and service providers maintain appropriate data integrity and cybersecurity controls and follow all incident response notification and remediation procedures."

Related Content

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
6/12/2019 | 8:20:07 AM
An Isolated, secure computer
Isolate from the nework and internet - stand alone nothing attached.  Second, secure - epoxy over most usb ports if possible, pat down before using computer and when done, locked room.  Do these simple precautions and Bradley Manning would not have been able to steal data.  For this is not a breach but data theft pure and simple.  Oh, contractor firm goes bye-bye real fast with zero payment.  Breach of contract.  And I would lawsuit the issue too.  Cost of repairl 
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2079
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2019-11325
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
CVE-2019-18887
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
CVE-2019-18888
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...
CVE-2019-18889
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.