US Customs and Border Protection (CBP) officials announced on Tuesday that an initial investigation into the breach of a subcontractor that maintains databases of photos indicated the leak involved images of fewer than 100,000 people.
The announcement is the first assessment of the impact of the breach, disclosed by the border security agency on June 10. The incident involved a CBP contractor, which had — in violation of CBP policies — copied sensitive files of border crossings and stored images of license plates and travelers on an insecure computer. The agency stressed that its computer systems and infrastructure were not involved in the attack.
"Photographs were taken of travelers in vehicles entering and exiting the United States through a few specific lanes at a single land border Port of Entry over a 1.5 month period," CBP said in a statement. "No other identifying information was included with the images."
The breach is yet another incident reminding companies and government organizations to regularly assess the security of their suppliers. Earlier this month, LabCorp and Quest Diagnostics were notified by AMCA, their supplier of debt collection services, that information on nearly 20 million of their customers had been potentially compromised by attackers. And in April, Mexican media firm Cultura Colectiva inadvertently leaked 540 million records from Facebook users because it did not protect the Amazon S3 container on which it stored the data.
"It is critical that organizations prioritize the security and access controls of their vendors, providers, and partners," said Sherrod DeGrippo, senior director of threat research and detection at data security firm Proofpoint. "These groups regularly handle sensitive data and must be examined by organizations thoroughly as they have the same culpability as the organization itself."
DeGrippo recommends that subcontractors' security posture be regularly reviewed and threat profiles created to establish needed defenses.
CBP did not name the latest subcontractor. Yet earlier in May, an attacker breached the network of government contractor Percepsys, a maker of license plate scanning and recognition systems, posting more than 65,000 files online, according to a May 23 article in The Regster.
In its statement, however, CBP stressed it has not see any malicious use of the data to date. "As of today, none of the image data has been identified on the Dark Web or Internet," the agency's spokesperson said in a statement.
The breach notification comes at a time when the CBP is expanding its technologies used to track travelers, including facial recognition, license plate identification, and social media tracking. Pointing to the current breach, the American Civil Liberties Union (ACLU) called the plans dangerous because government agencies and their contractors cannot keep such information safe.
"This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices," said Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union, in statement. "The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place."
In 2015, the Office of Personnel Management discovered that the records of 25.7 million people had been stolen through a series of network intrusions, including into the systems of contractors.
In both breaches, because a government agency isinvolved and it is difficult to prove that the breaches caused harm, there will be little that consumers or citizens can do, said Robert Cattanach, a partner at the international law firm Dorsey & Whitney.
"US Courts have been reluctant to award damages absent a showing of specific and concrete harm," he said in a statement.
Governments are finding it difficult to create policy to deal with the rapid advancement of technology.
"Rapidly evolving technology that collects vast amounts of individual data, coupled with the dramatic cultural differences between various countries that collect it, make this an even more challenging problem for individuals and their political systems to reconcile," he said.
CBP is currently scrutinizing its subcontractor's investigation into the breach, the agency said.
"CBP has removed from service all equipment related to the breach and is closely monitoring all CBP work by the subcontractor," it said. "CBP requires that all contractors and service providers maintain appropriate data integrity and cybersecurity controls and follow all incident response notification and remediation procedures."