A subcontractor for U.S. Customs and Broader Protection has been hacked with photos and other traveler data stolen, the agency confirmed to multiple news services today.

The subcontractor was not named by CBP, but a report from The Register in May referenced Tennessee-based Perceptics, a maker of license-plate reader hardware and software used by CBP as the source of the stolen data.

The stolen CBP data includes pictures of vehicles, including their license plates and pictures of people crossing borders. Additional data stolen, most likely relating to Perceptics itself, included internal emails and databases, documentation and client details, blueprints, backups, music and more. The pictures all related to southern border crossings with Mexico and did not involve any border crossings with Canada or airports.

Embarrassingly for both the CBP and Perceptics, the stolen data had been copied by the company to its own network in breach of its contract. “On May 31, 2019, CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” a CBP spokesperson said. “The subcontractor’s network was subsequently compromised by a malicious cyber-attack. No CBP systems were compromised.”

Worse still, there’s some suggestion that the data was being copied by Perceptics to add to its own facial recognition database. The CBP also claims that none of the image data has been identified on the dark web or the wider internet, but the original report from The Register in May said the stolen data was freely available on the dark web.

For many security experts, the CBP data theft highlights rings alarms on several fronts.

“Third-party contractors can be the weakest link in the chain when it comes to security,” Mark Trinidad, senior technical evangelist at Varonis Systems Ltd., told SiliconANGLE. “After a breach occurs, all too often there’s finger pointing as affected companies scramble to determine who’s to blame. In the end, it doesn’t matter, because the organization in charge must ensure that all contractors have taken all necessary steps to ensure information is kept safe.”

And breaches are just one side of the story. “Imagine if images or data were altered, or simply deleted, to cover evidence of criminal or terrorist activity,” he added. “The implications of a digital breach impacting the physical world are a very real possibility.”

Dan Tuchler, chief marketing officer at SecurityFirst Corp., noted that a controversial topic right now is the abuse of facial recognition and license plate tracking software to improperly surveil the general population.

“We don’t want to live in a police state,” he said. “With the theft of photos of people entering or exiting the country, will hackers use these photos in combination with other data to create problems for citizens and travelers? Once again it is a partner that was hacked. Every responsible organization needs to be vigilant and ensure that their partners are securing vital data.”

Unfortunately for those who have had their images stolen, said Robert Cattanach partner at the international law firm Dorsey & Whitney LLP, there’s likely little chance of redress.

“Unless a traveler can prove that they have been harmed somehow by the disclosure of their information and location at a border or airport… there is very little anyone can do once their information has been stolen, and then often made available on the dark web,” Cattanach said. “U.S. courts have been reluctant to award damages absent a showing of specific and concrete harm.”

Photo: UpstateNYer/Wikimedia Commons