US Customs and Border Protection Failed to Safeguard Data

US Customs and Border Protection Failed to Safeguard Data

A review of a facial recognition technology pilot scheme conducted by US Customs and Border Protection (CBP) has found that sensitive biometric data was not adequately protected. 





The Vehicle Face System was trialed last year by CBP. A major cybersecurity incident occurred when subcontractor Perceptics, hired to work on the pilot, transferred copies of CBP's biometric data to its own company network.





The subcontractor obtained access to this data between August 2018 and January 2019 without CBP’s authorization or knowledge. Later in 2019, the Department of Homeland Security experienced a major privacy incident, as the subcontractor’s network was subjected to a malicious cyber-attack.





Subsequently, CBP data, including traveler images from CBP’s facial recognition pilot, appeared on the dark web, triggering a review by the Office of the Inspector General (OIG).





The data breach compromised approximately 184,000 traveler images from CBP’s facial recognition pilot. At least 19 of the images were later posted to the dark web.





In the review, published on September 21, the OIG found "CBP did not adequately safeguard sensitive data on an unencrypted device used during its facial recognition technology pilot."





The OIG also found that Perceptics staff "directly violated DHS security and privacy protocols when they downloaded CBP’s sensitive PII from an unencrypted device and stored it on their own network." 





Perceptics' actions went against a Department of Homeland Security stipulation that requires subcontractors to protect personally identifiable information (PII) from identity theft ..

Support the originator by clicking the read the rest link below.