Border Pictures Exposed; GAO Warns of Lingering Equifax Breach Effects

Another data exposure, this time involving 100,000 photos from a U.S. Customs and Border Protection subcontractor; and the lasting impact of the 2017 Equifax breach were recent cybersecurity news highlights.

A U.S. Customs and Border Protection subcontractor experienced a data breach exposing the photos of tens of thousands of travelers coming in and out of the United States, the agency revealed in what it described as a “malicious cyber-attack.” The transfer of identifying traveler photos and license plate images to a subsequently-hacked CBP subcontractor’s network occurred without the federal agency’s authorization or knowledge, CBP explained.

The compromised images of travelers in vehicles entering and exiting the country through specific lanes at a solitary port of entry over a 90-day period affected less than 100,000 people, according to a law enforcement official. The data did not include any other identifying information, nor were other photos, passport or travel document photos compromised.

The federal agency did not name the subcontractor that was hacked, but in May, online tech publication The Register reported the hacking of Perceptics, the maker of vehicle license plate readers used by the U.S. government and cities to identify and track citizens.

In its June 10, 2019 statement, CBP said: “Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract. As of today, none of the image data has been identified on the dark web or internet.”

Dan Tuchler, chief marketing officer for the Santa Margarita, Calif.-based SecurityFirst, said, “A controversial topic right now is the abuse of facial recognition and license plate tracking software to improperly surveil the general population. We do not want to live in a police state. With the theft of photos of people entering or exiting the country, will hackers use these photos in combination with other data to create problems for citizens and travelers? Once again it is a partner that was hacked.” Tuchler added every responsible organization needs to be vigilant and ensure their partners secure vital data.

“The issue with subcontractors is you can’t completely control how they secure their network. You can ask for certifications, financials, controls, attestations; but there is always a limit to how much you can demand,” Pierluigi Stella, chief technology officer for the Houston, Texas-based Network Box USA, explained. “If you choose to use a subcontractor, you also choose to accept the level of risk that comes with it, despite all your controls.”

Stella said questions exist about why a private government subcontractor transferred the data in the first place. “Why did this contractor move all our face pictures to their network? What were they trying to do with that data? I have problems with the government keeping that information; I definitely have big issues with a private corporation doing so. Let alone that now they lost it. What were they doing with it in the first place?”

Tyler Owen, director, solution engineering at the San Jose, Calif.-based CipherCloud also observed a couple of large breaches over the past several weeks involving high-profile organizations through subcontractors – First Quest Diagnostics/LabCorp and CBP. “This really highlights that while the primary organization is handling their data security, if they do not do appropriate due diligence on all other parties that will have access to their data, it leaves a very large gap. Not only is it important to perform initial checks of an organization’s security practices but also perform routine checks.”

Breaches have lingering effects as well.

In a May report, the Government Accountability Office noted several government departments continue to rely on commercial credit agencies to help verify the identities of people who apply for benefits online – such as by asking personal questions from credit files. The government watchdog group found that the U.S. Postal Service, Department of Veterans Affairs, Social Security Administration and Centers for Medicare and Medicaid Services still use “knowledge-based verification” to make sure people who apply for benefits online are authentic.

However, the 2017 Equifax breach, which exposed sensitive information of some 145.5 million Americans, raised questions about this practice.

The GAO said, “Data stolen in recent breaches, such as the 2017 Equifax breach, could be used fraudulently. The risk that an attacker could obtain and use an individual’s personal information to answer knowledge-based verification questions and impersonate that individual led the National Institute of Standards and Technology to issue guidance in 2017 that effectively prohibits agencies from using knowledge-based verification for sensitive applications. Alternative methods are available that provide stronger security. However, these methods may have limitations in cost, convenience and technological maturity, and they may not be viable for all segments of the public.”

Eve Maler, vice president of innovation and emerging technology at the San Francisco, Calif.-based ForgeRock, commented: “We’re continuing to see the impact of the 2017 Equifax hack. Citizens are not the only ones impacted; government agencies relying on credit reporting agencies remain vulnerable to inaccurate citizen verification as well. These federal agencies must move away from CRA-based verification, as the challenges with this knowledge-based authentication method are now legion. First, if the data to perform these checks was ever secret, after the Equifax breach and many others such as OPM, it no longer is. Second, this method does not work for people with a thin credit file. Third, it provides a terrible experience for legitimate users because the data typically isn’t very clean.”