Posted on June 18, 2019 at 1:12 PM
A company hired by Customs and Border Protection (CBP), has been hacked and some of the data that the company held has found its way onto the darknet. The situation has caused a ruckus among the staff of the CBP as the company was not even authorized to keep the information according to the CBP.
A spokesperson for the Customs and Border Protection agency said that the “CBP doe snot authorize contractors to hold license plate data on non-CBP systems,” showing that the agency, at least from its own side, takes a very conservative stance towards information security. That is something that should be applauded in this day and age, but the company, called Perceptics, disregarded the directive and chose to store the information without permission.
Civil liberties at the core of the issue
While it is to be applauded that the CBP does not officially allow contractors to hold information on non-CBP systems, it does beg the question of who is responsible for choosing contractors that surveilled American citizens and what happens to those people when the data is mishandled.
Neemah Singh Guliani, senior legislative counsel at the ACLU (American Civil Liberties Union) had quite a bit to add to the furor surrounding the leak of license plates on the dark web. She said that the CBP “keeps seeking to amass more information in a way that is concerning from a privacy and civil liberties standpoint,” and pressed the attack by proclaiming that “also from a security standpoint, given that they’ve not demonstrated they can safeguard that information.”
This is directly related to the license plate information that the CBP collects when people cross the border into either Canada or Mexico. Analysis of the data on the dark web shows that at least 50 000 unique American license plate numbers were found in the dark web leak.
What privileges did Perceptics actually have?
When talking about the failure of security on the part of both the government and the contractors it hires, it is best to start off with what the contractor is allowed to access. In this specific case, Perceptics was only authorized to access images of the license plate to improve their systems. This is so when a state issues a new license plate design, the system needs calibration to recognize it.
The agency says those period were brief, and that the data would need to be deleted after the software was calibrated to recognize new designs. The agency could not even give details on if the leak is only from the CBP or from other governmental organizations that Perceptics works with, as they have a number of contracts in government.
What is more worrying, is that a CBP spokesperson said that some photos of travelers were also compromised, equating to somewhat less than 100 000 photos altogether. The online archivist group DDOS (Distributed Denial of Secrets) gave the data to CNN and plans to publish more from the hack, including emails from Perceptics.
The full statement included when the CBP had learned of the leak. The agency said that it learned of the leak on the 31st of May and went on to say that they had learned that a subcontractor “had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network. The subcontractor’s network was subsequently compromised by a malicious cyber-attack.” Perceptics has not responded to any requests for comment at this time, though the company would do well to get out ahead of this situation.
A situation that, if allowed to fester, would only further damage the trust that the American people have in those who are tasked with protecting the nation from external threats. There have been outcries from various civil liberties groups about the lengths that the government will go to in order to collect data – and many think that the data collected has very little to do with external security. This most recent situation might give those voices the extra push they needed to become even more vocal.