It’s unknown exactly how many images were compromised but, as reported by TechCrunch, CBP said the incident affected fewer than 100,000 people through a “few specific lanes at a single land border” over a period of a month and a half. The agency added that it first learned of the breach on May 31. It never named the subcontractor.
While CBP says none of the stolen data ended up on the dark web or internet, news of the breach comes not long after The Register found files from government contractor Perceptics on the dark web. The company makes vehicle license plate readers used by the government to identify and track citizens. While it’s unclear if the two incidents are linked, a Microsoft Word document containing CBP’s statement included the name Perceptics in the title.
“Government agencies that rely extensively on contractors and third-party organizations are especially at risk from so-called supply-chain breaches. Without more details on what was compromised, it’s hard to tell what the impact might be. Personal details of all kinds can be used for identity theft and other schemes,” said Tim Erlin, VP, product management and strategy at cybersecurity firm Tripwire.
“Given that this breach is likely to contain a host of information from European Union data subjects, there may be challenging and interesting GDPR implications.”
With CBP speeding up the adoption of facial recognition of international travelers, incidents such as this one will doubtlessly raise more questions over the privacy and security implications of these systems.