Last June, a U.S. Customs and Border Protection (CBP) subcontractor breach exposed over 184,000 photos of people collected as part of the Vehicle Face System, a facial recognition program at major ports of entry to verify travelers’ identities as they enter and exit the U.S. While CBP initially declined to say whether any of that data made its way onto the dark web, a new inspector general report from the U.S. Department of Homeland Security found that at least 19 images were published online due to lapses in security protocols by Perceptics, the third-party responsible for securing the images.
The report’s findings, while somewhat preempted by Motherboard’s reporting last year, underline the dangers of law enforcement facial recognition systems. Centralized databases, particularly those managed by multiple parties, are vulnerable to hacking and ransomware attempts.
The Vehicle Face System, which launched in 2018 at the Nogales border crossing in Arizona and Anzalduas in Texas, affords CBP access to facial recognition databases that incorporate photos from entry inspections, U.S. visas, and other U.S. Department of Homeland Security resources. (The Vehicle Face System is a part of CBP’s broader Biometric Entry-Exit Program, which is engaged with airlines at 27 international airports across the country to perform facial recognition on passengers.) Camera kiosks at border crossings developed with the help of Oak Ridge National Labs in Tennessee capture photos of drivers through windshields and compare them with photos in the database, algorithmically attempting to identify matches.
According to the inspector general report, CBP violated its own rules by failing to adequately safeguard facial recognition data on an unencrypted device used during the Vehicle Face System pilots. This enabled Perceptics to transfer copies of the data, including traveler images, to its own unprotected network between August 2018 and January 2019 without CBP’s “authorization or knowledge.”
Perceptics — which had previously worked for CBP as a subcontractor providing license plate readers at U.S. Border Patrol checkpoints — was hired by Unisys. CBP retained Unisys to design, develop, and install the Vehicle Face System, relying on images captured by Perceptics’ setup for testing and analysis.
According to the report, during the Anzalduas pilot, Perceptics gained access to vehicle driver and passenger images through a computer connected to cameras at the test site. Perceptics had submitted work orders for maintenance, which were approved by CBP and Unisys, but none of the tickets authorized the company to download anything.
Perceptics eventually admitted to Unisys that it downloaded the images using an unencrypted drive that was transported back to its offices in Knoxville, Tennessee. From there, Perceptics uploaded CBP’s images to a corporate server to improve its facial recognition algorithms.
As previously reported, the subcontractor’s network was later the subject of a malicious cyberattack that compromised approximately 105,000 license plate images and 184,000 traveler images, about 84,000 of which were duplicates. A hacker known as Boris Bullet-Dodger demanded 20 Bitcoins within 72 hours and threatened to upload stolen data to the dark web if the demands weren’t met.
After the breach, which Perceptics spotted in May 2019, the company informed Unisys, which in turn notified CBP after roughly a week. The following month, CBP temporarily suspended Perceptics from future contracts, subcontracts, grants, loans, and other federal assistance programs. But the suspension was lifted in September 2019, leaving Perceptics eligible to participate as a contractor in future federal procurement.
Elsewhere, CBP disabled its biometric processing equipment’s USB capabilities and performed software updates to support encryption. It also inspected cameras and biometric technologies to ensure data wasn’t being stored on any other endpoint devices. But as of November 8, 2019, CBP says it had only completed evaluations at five locations, including four airports participating in the Biometric Air-Exit program and a testing facility in Sterling, Virginia.
“This data breach may damage the public’s trust in the government’s use of biometric data,” the inspector general’s report concludes. “This data breach, and the subsequent ransomware attack on Perceptics, became the subject of international news coverage … [And] this concern could create reluctance among the public to permit DHS to use photos in the future.”
The report’s publication comes after a U.S. Government Accountability Office (GAO) filing earlier this month found that CBP fell short in areas including partner auditing and performance testing with respect to the Biometric Entry-Exit Program. The GAO said the resources it identified regarding CBP’s program at ports of entry, online, and call centers provided limited information and weren’t always complete, noting that CBP’s facial recognition technology continues to underperform compared with the agency’s baselines.