U.S. Customs and Border Patrol (CBP) officials confirmed that no more than 100,000 photos of travelers and license plates were compromised in a data breach CBP identified on May 31, according to The New York Times and Washington Post.
A CBP official said that a Federal subcontractor transferred copies of the photos to the subcontractor’s network without CPB’s knowledge. Hackers then accessed the subcontractor’s network, where they had access to images of drivers in their cars and license plates of cars crossing through a port of entry over a six-week period.
CBP added in a statement that it removed the equipment involved in the breach from service and notified Congress of the hacking.
The CBP data privacy breach is the second that the Department of Homeland Security has suffered in recent months. In March, the Federal Emergency Management Agency compromised sensitive personal data of 2 million victims of natural disasters.
Network Box USA CTO Pierluigi Stella raised the issue of how Federal agencies secure and share personal data, particularly with external actors like subcontractors.
“The issue with subcontractors is that you can’t completely control how they secure their network,” Pierluigi said. “You can ask for certifications, financials, controls, attestations; but there is always a limit to how much you can demand. “
Attorney Robert Cattanach, a former trial attorney for the Justice Department and former special counsel to the Navy Secretary, said that it is unlikely that travelers affected by the breach can make claims to harm to their privacy.
“Unless a traveler can prove that they have been harmed somehow by the disclosure of their information and location at a border or airport, however, there is very little anyone can do once their information has been stolen, and then often made available on the dark web,” Cattanach said. “U.S. Courts have been reluctant to award damages absent a showing of specific and concrete harm.”
Cattanach added that the quick-changing nature of technologies like facial recognition technology makes it difficult to track and protect consumer data in the event of a data breach.
“Rapidly evolving technology that collects vast amounts of individual data, coupled with the dramatic cultural differences between various countries that collect it, make this an even more challenging problem for individuals and their political systems to reconcile,” he said.
Although CBP said that it has not identified any of its image data on the dark web or internet so far, Paul Bischoff, a privacy advocate at Comparitech, said that when agencies like CBP collects traveler information without their consent and then loses those photos to hackers, there are dangerous consequences.
“When the government takes and stores photos of people not suspected of any wrongdoing without their consent, and then loses those photos to criminals or nation-state actors, it has ramifications for all of us,” Bischoff said. “When those photographs are combined with other information, such as a license plate number, it enables harassment, stalking, intimidation, and other crimes.”