Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/11/2019
07:20 PM
100%
0%

Suppliers Spotlighted After Breach of Border Agency Subcontractor

Attackers increasingly use third-party service providers to bypass organizations' security. The theft of images from US Customs and Border Protection underscores the weakness suppliers can create.

US Customs and Border Protection (CBP) officials announced on Tuesday that an initial investigation into the breach of a subcontractor that maintains databases of photos indicated the leak involved images of fewer than 100,000 people. 

The announcement is the first assessment of the impact of the breach, disclosed by the border security agency on June 10. The incident involved a CBP contractor, which had — in violation of CBP policies — copied sensitive files of border crossings and stored images of license plates and travelers on an insecure computer. The agency stressed that its computer systems and infrastructure were not involved in the attack.

"Photographs were taken of travelers in vehicles entering and exiting the United States through a few specific lanes at a single land border Port of Entry over a 1.5 month period," CBP said in a statement. "No other identifying information was included with the images."

The breach is yet another incident reminding companies and government organizations to regularly assess the security of their suppliers. Earlier this month, LabCorp and Quest Diagnostics were notified by AMCA, their supplier of debt collection services, that information on nearly 20 million of their customers had been potentially compromised by attackers. And in April, Mexican media firm Cultura Colectiva inadvertently leaked 540 million records from Facebook users because it did not protect the Amazon S3 container on which it stored the data.

"It is critical that organizations prioritize the security and access controls of their vendors, providers, and partners," said Sherrod DeGrippo, senior director of threat research and detection at data security firm Proofpoint. "These groups regularly handle sensitive data and must be examined by organizations thoroughly as they have the same culpability as the organization itself."

DeGrippo recommends that subcontractors' security posture be regularly reviewed and threat profiles created to establish needed defenses.

CBP did not name the latest subcontractor. Yet earlier in May, an attacker breached the network of government contractor Percepsys, a maker of license plate scanning and recognition systems, posting more than 65,000 files online, according to a May 23 article in The Regster.

In its statement, however, CBP stressed it has not see any malicious use of the data to date. "As of today, none of the image data has been identified on the Dark Web or Internet," the agency's spokesperson said in a statement.

The breach notification comes at a time when the CBP is expanding its technologies used to track travelers, including facial recognition, license plate identification, and social media tracking. Pointing to the current breach, the American Civil Liberties Union (ACLU) called the plans dangerous because government agencies and their contractors cannot keep such information safe.

"This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices," said Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union, in statement. "The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place."

In 2015, the Office of Personnel Management discovered that the records of 25.7 million people had been stolen through a series of network intrusions, including into the systems of contractors.

In both breaches, because a government agency isinvolved and it is difficult to prove that the breaches caused harm, there will be little that consumers or citizens can do, said Robert Cattanach, a partner at the international law firm Dorsey & Whitney. 

"US Courts have been reluctant to award damages absent a showing of specific and concrete harm," he said in a statement. 

Governments are finding it difficult to create policy to deal with the rapid advancement of technology.

"Rapidly evolving technology that collects vast amounts of individual data, coupled with the dramatic cultural differences between various countries that collect it, make this an even more challenging problem for individuals and their political systems to reconcile," he said.

CBP is currently scrutinizing its subcontractor's investigation into the breach, the agency said.

"CBP has removed from service all equipment related to the breach and is closely monitoring all CBP work by the subcontractor," it said. "CBP requires that all contractors and service providers maintain appropriate data integrity and cybersecurity controls and follow all incident response notification and remediation procedures."

Related Content

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
6/12/2019 | 8:20:07 AM
An Isolated, secure computer
Isolate from the nework and internet - stand alone nothing attached.  Second, secure - epoxy over most usb ports if possible, pat down before using computer and when done, locked room.  Do these simple precautions and Bradley Manning would not have been able to steal data.  For this is not a breach but data theft pure and simple.  Oh, contractor firm goes bye-bye real fast with zero payment.  Breach of contract.  And I would lawsuit the issue too.  Cost of repairl 
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-9561
PUBLISHED: 2019-06-19
In llcp_util_parse_connect of llcp_util.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7...
CVE-2018-9563
PUBLISHED: 2019-06-19
In llcp_util_parse_cc of llcp_util.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 ...
CVE-2018-9564
PUBLISHED: 2019-06-19
In llcp_util_parse_link_params of llcp_util.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 Andro...
CVE-2019-2003
PUBLISHED: 2019-06-19
In addLinks of Linkify.java, there is a possible phishing vector due to an unusual root cause. This could lead to remote code execution or misdirection of clicks with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 Android-...
CVE-2019-2017
PUBLISHED: 2019-06-19
In rw_t2t_handle_tlv_detect_rsp of rw_t2t_ndef.cc, there is a possible out-of-bound write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-7.0 ...