A data breach of information belonging to the U.S. Customs and Border Patrol (CBP) that leaked photos of people and vehicles traveling over the United States border once again shows the risk associated with third-party access to sensitive or classified information.
The breach–the result of a cyber attack on a third-party contractor who collected the images for the CBP–also raises issues of privacy and how much control and access should the government have over personally identifiable information, security experts said.
News of the data leak broke widely on Monday, but CBP said said it actually occurred earlier. In an e-mail to Security Ledger, the agency said that on May 31, a subcontractor–revealed in reports to be Perceptics–transferred copies of license plate images and traveler images collected by CBP to the its company network without government knowledge or permission.
Perceptics was soon after hit with a “malicious cyber-attack” that resulted in the leak, according to CBP. Perceptics provides license-plate readers that allow the CBP as well as other law-enforcement agencies can track and identify vehicles.
Data leaked includes images of less than 100,000 travelers entering and exiting the United Sates through “a few specific lanes at a single land border Port of Entry over a 1.5 month period,” according to the CBP. A published report identified the photos as taken on the border with New Mexico.
The CBP blamed Perceptics’ violation of “mandatory security and privacy protocols outlined in their contract” for the leak. However, the ultimate responsibility still lies with the CBP to protect sensitive data that originates with the agency, said Fred Kneip, CEO of third-party cyber risk exchange CyberGRX.
“Though in direct violation of a contract, the responsibility of the CBP to properly manage its data is no less important than the third party which was attacked,” Kneip said. “A contract can state the expectation, but it’s up to the company to understand its exposure from associated third-party’s cybersecurity practices and mitigate the vulnerabilities as necessary.”
Indeed, with this latest breach coming on the heels of a third-party putting 11.9 million Quest Diagnostic patients at risk, experts stressed that any organization dealing with sensitive or classified information knows it must take great care with the security of that information–especially once it passes into the hands of third parties.
Easier said than done, experts said. One reason may be because it’s tricky to maintain control of that data once it leaves its origin due to contract and trust concerns between the agency that owns the data and the third party, said Pierluigi Stella, CTO of network security firm Network Box USA.
“The issue with subcontractors is that you can’t completely control how they secure their network,” he said. “You can ask for certifications, financials, controls, attestations; but there is always a limit to how much you can demand.”
The leak also raises questions about the lack of judgment government agencies and others in control of sensitive data use when deciding who else has access to it, as well as how much info they should even be allowed to collect if they can’t be trusted to secure it, experts said.
“It is high time for some serious examination of how governments evaluate the contractors they hire to collect and evaluate personal data,” said Dov Goldman, director of risk and compliance at Panorays said. “With two serious data breaches in two weeks, everyone should be extremely concerned with the information security and privacy practices of the technology companies our government uses to collect and evaluate information about citizens.”
More transparency, please
The Perceptics case is especially dodgy because it involved an unauthorized transfer of data, which Stella should raise a big red flag about privacy. The CBP did not specify the nature of the data transfer, but he believes it needs to be more transparent when dealing with sensitive information from private citizens.
“Why did this contract move all our face pictures to their network?” Stella said. “What were they trying to do with that data? I have problems with the government keeping that information; I definitely have big issues with a private corporation doing so.”
Jake Olcott, vice president at cyber risk-management firm BitSight, suggested that the government is not properly focused on or prioritizing the third-party risk when it comes to sensitive data, exposing themselves to data breaches that could potentially harm citizens.
“Government agencies have been spending too much time focused on protecting their own networks that they’ve virtually ignored the evolving threat landscape,” he said, suggesting that they need to change this stance and “gain visibility into the security posture of critical third-party contractors–immediately.”
At this point, the CBP seems to have dodged a bullet in terms of its latest breach–for now. The agency said none of the images are currently circulating on the dark web, which is often what happens these days when sensitive data is leaked.
The CBP said it’s working with Perceptics, Congress, law-enforcement agencies and cybersecurity entities–as well as ts own Office of Professional Responsibility–“to actively investigate” the incident. “CBP takes its privacy and cybersecurity responsibilities very seriously and demands all contractors to do the same,” the agency said.