US border control reveals a cyber attack stole traveller data

Logo for the US Customs and Border Protection federal agency

Photos of travellers and license plate images have been compromised after a subcontractor for the US Customs and Border Protection (CBP) suffered a cyber attack on its network.

The US border control agency became aware on 31 May that one of its subcontractors transferred photos of license plates, as well as travellers' images, to its own networks without the agency's knowledge.

The network was then compromised in a malicious cyber attack, according to the CBP, which noted that none of its own systems had been compromised, according to the Washington Post.

"Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract," a CBP statement said.

"As of today, none of the image data has been identified on the Dark Web or internet. CBP has alerted Members of Congress and is working closely with other law enforcement agencies and cybersecurity entities, and its own Office of Professional Responsibility to actively investigate the incident."

The incident affected fewer than 100,000 people, the agency said, and involved photographs taken of travellers in vehicles entering and exiting the US through a few specific lanes at a single land border point for more than one and a half months.

No airline passenger data was compromised, and the stolen data did not include passport information or other travel documents.

CEO of ImmuniWeb Ilia Kolochenko said the strangest aspect of the CBP's data breach revelation is its timing.

"Just after the unwarranted transfer of confidential data to the subcontractor's network, they suddenly got hacked as if someone has been purposefully waiting for this," he said.

"Of course, we may suppose that the subcontractor had been breached and backdoored for a while already, but this puts in question the vetting process at CBP when selecting suppliers to handle sensitive data."

The incident could also pose legal ramifications under the European Union's (EU) General Data Protection Regulation (GDPR) should any of the compromised data also belong to EU citizens.

Overall the situation raises further concerns over the US government's plans to collect more traveller data with time, particularly under the Trump administration's harsher immigration rules. A greater emphasis on biometrics like facial recognition and fingerprint collection, in particular, has been the source of controversy.

The contentious use of this technology has led San Francisco to become the first US city to ban it, in the context of growing privacy and security concerns. Police forces across the UK have similarly faced criticism for pursuing facial recognition trials, particularly after research published last year identified the underlying technology used is "dangerously inaccurate".

The Department for Homeland Security (DHS), meanwhile, recently put forward proposals to demand travellers submit their social media usernames so their accounts can be monitored by authorities.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.