Check-in counters at border showing data breach at U.S. Customs and Border Protection subcontractor which exposed around 100,000 travelers’ data
U.S. Customs and Border Protection Data Breach Result of Supply Chain Attack by Scott Ikeda

U.S. Customs and Border Protection Data Breach Result of Supply Chain Attack

The U.S. Customs and Border Protection agency, the one centrally responsible for securing the country’s borders, was the latest high-profile organization to fall victim to a supply chain attack. The breach exposed data on somewhere around 100,000 people who crossed the United States border at a specific port of entry.

U.S. Customs and Border Protection’s statement on the matter did not specify the location, but cybersecurity reporters covering the story believe that the data most likely came from a port of entry in Texas, New Mexico or Arizona. This speculation is based on an independent report of a breach during the same time period by a subcontractor that furnishes the agency with license plate readers.

The breach contained copies of license plate images and traveler images collected by U.S. Customs and Border Protection. It exposed clear pictures of the faces of travelers (presumably for use with facial scanning software) and of their license plates. The pictures came from a specific period of about a month and a half, though the exact dates were not specified.

How the U.S. Customs and Border Protection data breach happened

A U.S. Customs and Border Protection subcontractor downloaded the set of images, and the attackers (who the U.S. Customs and Border Protection characterized as “malicious”) breached the subcontractor’s network and gained access to them. The agency states that the subcontractor was not authorized to download those images from their servers, and had done so without permission and without notifying anyone at the agency. While the agency did not disclose the exact number of breach victims, it put the total at “fewer than 100,000” which would be an odd way to characterize anything that was under 90,000 or so.

Though the agency did not give the name of the contractor at fault, a number of news outlets covering this story are reporting that it is most likely Perceptics of Tennessee. Perceptics is the largest manufacturer of license plate scanners for the United States government, and the company disclosed in May that it had experienced a data breach in which some of its sensitive files were exfiltrated and dumped online. Perceptics has yet to comment on the issue.

Additionally, the agency’s original email to the Washington Post had “U.S. Customs and Border Protection Perceptics Public Statement” in the subject line.

The attacker was also not named, though U.S. Customs and Border Protection noted that “none of the image data has been identified on the Dark Web or internet.”

Fallout of the U.S. Customs and Border Protection data breach

U.S. Customs and Border Protection’s claim that none of the image data could be found on the dark web is contradicted by reporting on the Perceptics breach by various media outlets.

For example, Vice found images of drivers that appear to be connected to the data breach on the dark web shortly after it was announced. Vice also found additional data that appears to have come from Perceptics – images taken from toll booths on the Pennsylvania Turnpike, and internal U.S. Customs and Border Protection documents that describe various facial and license plate recognition technologies. Vice also claims to have found license plate data among this dark web data. This reporting was corroborated by The Register, which has made contact with the hacker responsible for the breach.

The Register claims to have identified the attacker as a fellow named “Boris Bullet-Dodger”, though it is still unclear what their motives were or if they have any affiliation with known hacking groups or nation-states. Boris appears to be part of a criminal group that specializes in breaching and extorting companies, however, given that a hacker by the same name took credit for the April hack of IT services provider CityComp.

This leaves a lot of questions unanswered, to put it mildly. As Pierluigi Stella, CTO of Network Box USA, commented:

“The issue with subcontractors is that you can’t completely control how they secure their network. You can ask for certifications, financials, controls, attestations; but there is always a limit to how much you can demand. You can’t necessarily walk into their office for a sudden inspection; or force them to use your standard of security because ‘yours are better than theirs.’ So if you choose to use a subcontractor, you also choose to accept the level of risk that comes with it, despite all your controls.

“In this case, there is also that murky aspect of the transfer of data. Why did this contract move all our face pictures to their network? What were they trying to do with that data? I have problems with the government keeping that information; I definitely have big issues with a private corporation doing so. Someone here needs to explain to us why that data was moved to the network of a private government subcontractor, to what end, what were they doing with that data? Let alone that now they lost it. What were they doing with it in the first place? Why did they practically steal it (the article says they were not authorized to have that data).”

So, at the moment, it is still unclear exactly how much information has actually been leaked in this data breach. The lone silver lining here is that there is yet to be any indication that any financial information, personal identifying information (such as driver’s license numbers) or information related to airline passengers was included. The pairing of faces with license plate numbers is bad enough by itself, however. To compound that, the agency is in possession of much more information that this contractor could have potentially had access to – fingerprint data, facial scan records and social media account information, just to name some possibilities.

The timing of all of this could not have been worse for U.S. Customs and Border Protection. The agency is currently embroiled in public controversy over a plan to scan all of the international passengers at the country’s 20 biggest airports with facial recognition software. Though this particular breach had nothing to do with airline passengers, it provides ample ammunition to privacy advocate claims that the government cannot be trusted with mass collection and storage of this sort of information.

The breach happened just weeks after privacy advocates testified against the use of facial recognition software before the House Committee on Oversight and Reform, suggesting that it be banned due to the possibility of something exactly like this happening. The Homeland Security Committee will be holding hearings on the department’s use of biometric information in July.

The importance of vendor compliance

Supply chain security is truly a “weakest link” situation; each vendor must have adequate policies and practices in place or a breach such as this is likely to happen. The only assurance that companies have is the terms spelled out in a contractual agreement. There can sometimes be too much of a focus on punitive measures and liability; this breach illustrates the importance of contractor screening and mandating regular security auditing.

This case demonstrates that it takes just one irresponsible or rogue employee at a subcontractor or vendor to create a damaging data breach, regardless of what contracts might say. U.S. Customs and Border Protection has indicated that the subcontractor violated mandatory protocols that they had agreed to. Whether intentional or just due to incompetence, it only took the actions of one employee to put sensitive information from travelers in a vulnerable position.

As Dov Goldman, Director of Risk & Compliance at Panorays, points out:

“It is high time for some serious examination of how governments evaluate the contractors they hire to collect and evaluate personal data like facial photographs used for identity recognition, license plates, bank accounts, credit cards and where you are on any given data – much of it very private, sensitive information in anyone’s book. With two serious data breaches in two weeks, everyone should be extremely concerned with the information security and privacy practices of the technology companies our government uses to collect and evaluate information about citizens. The Federal Information Systems Act (FISMA) of 2002, amended in 2014 as the Federal Information Security Modernization Act, mandates best practices for safeguarding data and information systems. Contractors to the Federal Government are required to comply with FISMA, which they can do by implementing the NIST information security control standards. With modern, commercially available tools and systems, a government agency can evaluate how well third-party vendors comply with NIST before a contract is awarded, and monitor the vendors they select continuously for cyber vulnerabilities afterwards. It’s great that governments are using the latest technologies to make life easier and safer for citizens; they need to implement their own rules, such as FISMA, to ensure our privacy as well.”

Tyler Owen, director of solution engineering at CipherCloud, addressed concrete measures to ensure vendor compliance:

“Over the past two weeks we have seen multiple large breaches of very high profile organizations through subcontractors. First Quest Diagnostics/LabCorp via AMCA and now U.S. Customs and Border Protection via a subcontractor. This really highlights that while the primary organization is handling their data security if they do not do appropriate due diligence on all other parties that will have access to their data it leaves a very large gap. Not only is important to perform initial checks of an organizations security practices but also perform routine checks. Not only is it important to perform routine checks on the policies and procedures of contractors but also review their activities with an organization’s data.

“If U.S. Customs and Border Protection was utilizing a cloud access security broker (CASB) or user and entity behavior analytics (UEBA), this initial policy violation might have been identified when the offending subcontractor downloaded the data prior to the breach. In addition, if digital rights management (DRM) would have been applied on top of the encryption stated on U.S. Customs and Border Protection’s website this would have also been avoided as each file would require authorization to access the file, which the attackers would not have or could easily be disabled to stop their access.”

Subcontractor was not authorized to download traveler data stolen from #databreach at U.S. Customs and Border Protection. #respectdataClick to Tweet

The U.S. Customs and Border Protection data breach certainly serves as a good reminder to private companies to review and update their vendor and subcontractor agreements as needed; it remains to be seen if the United States government will as plans for increased collection of biometric data for their massive face recognition apparatus forge ahead.