A recent review by the Department of Homeland Security (DHS) Office of Inspector General (OIG) found that Customs and Border Patrol (CBP) did not adequately protect sensitive data on an unencrypted device used during its Vehicle Face System pilot—a facial recognition technology pilot.
OIG said that a subcontractor – Perceptics – working on this pilot violated DHS security and privacy protocols when it transferred copies of CBP biometric data to its own network between August 2018 and January 2019. It was later in 2019 that DHS was hit with a “major privacy incident” when the subcontractor was subjected to a malicious cyberattack, which prompted a Senate response seeking that the Government Accountability Office look into the incident.
“DHS requires subcontractors to protect personally identifiable information (PII) from identity theft or misuse,” the OIG said. “Given Perceptics’ ability to take possession of CBP-owned sensitive data, CBP’s information security practices during the pilot were inadequate to prevent the subcontractor’s actions.”
According to the report, the data breach compromised 184,000 traveler images from the Vehicle Face System pilot, with at least 19 posted on the dark web.
The DHS OIG made three recommendations for CBP, all of which were agreed to, including:
- Implementing all mitigation and policy recommendations to resolve the 2019 data breach, including implementing USB device restrictions and applying enhanced encryption methods;
- Having the Deputy Executive Assistant Commissioner, Office of Field Operations coordinate with the CBP Office of Information and Technology to ensure additional security controls at existing Biometric Entry-Exit program pilot locations; and
- Establishing a plan for the Biometric Entry-Exit Program to assess third-party equipment supporting biometric data collection routinely, to best ensure compliance with DHS security and privacy standards.