A â€śmalicious cyberattackâ€ť on a U.S. Customs and Border Protection subcontractor compromised photographs of travelers going into and out of the country, along with license plates, the agency said Monday.
Customers and Border Protection has known about the attack since May 31. According to agency, a subcontractor transferred the images to its network â€śin violation of CBP policies and without CBPâ€™s authorization or knowledge.â€ť
The images include fewer than 100,000 people in vehicles entering and exiting the United States â€śthrough a few specific lanes at a single land border Port of Entry over a 1.5 month period,â€ť according to a CBP spokesperson.
Officials claim that the stolen information hasnâ€™t shown up on the internet or dark web. The Register found files from CBP contractor Perceptics, which makes license plate readers, on the dark web last month.
CBP hasnâ€™t confirmed which of its contractors was attacked, so itâ€™s not clear if the two incidents are connected.
The breach drew condemnation from privacy advocates, including the Electronic Frontier Foundation (EEF).
â€śEFF is disappointed by reports of the theft from CBP of photos of travelersâ€™ faces and license plates,â€ť said the organizationâ€™s senior staff attorney Adam Schwartz. â€śThe inherent risk of such theft is among the reasons why the government should not be amassing this sensitive information in the first place.â€ť
Initial reports reports were unclear about whether photos of travelers entering through airports were involved in the breach, but the CBP says passport and other travel document photos were not compromised, nor were images of airline passengers.Â When you arrive in the U.S. after an international flight, your stop at customs may include an agent snapping a photo of you. Using facial recognition technology, the agent can then match it with a â€śbiometric template.â€ť That template is a string of numbers representing, say, your passport photo.
â€śThese templates are irreversible and cannot be reverse-engineered by anyone outside of CBP to reconstruct the photo,â€ť according to the CBP.
Customers and Border Protection says it â€śdiscardsâ€ť photos of U.S. citizens and exempt aliens within 12 hours of verifying their identity. It can take 14 days to delete other travelersâ€™ photographs. According to agency rules, airports and other partners arenâ€™t allowed to keep any traveler photos they take for identification purposes.
There are some protections if your license plate information is stolen. While the Driverâ€™s Privacy Protection Act makes it difficult to track down someoneâ€™s personal information just from a license plate, some privacy advocates have raised concerns about the amount of data automated plate readers suck up.Â
The image quality will depend on whether vehicles at the border crossing had to stop and wait for long stretches due to lots of traffic, Dr. Jennifer King, director of privacy at Stanfordâ€™s Center for Internet and Society, told Digital Trends. As for how the images could be used, â€śIt all depends on who stole it,â€ť she said. Criminal hackers and foreign governments would have different motives and uses for the data.
â€śHaving more data to feed into a facial recognition system is always useful, sadly, especially high-quality images taken for that purpose, to really try to focus on identifying people,â€ť said King.
â€śWeâ€™re at the point where training data is hard to find, and getting good training data is invaluable in and of itself, even if it doesnâ€™t ultimately lead to identification of individuals, for example, in the short term,â€ť she added.
The CBP and federal authorities are investigating the breach and monitoring for the stolen information.
Update 6/11/2019: This story was updated to include new details about the amount and type of photographs stolen and to include remarks by Dr. Jennifer King.Â