If you were wondering why it can be risky for governments to collect traveler images en masse on connected systems... well, here's why. US Customs and Border Protection has confirmed that hackers stole traveler images from a subcontractor, including photos of people entering or leaving the country as well as copies of their license plates. In a statement, CBP said that the subcontractor had "violated mandatory security and privacy protocols" by transferring the data to its own network.
A representative didn't tell TechCrunch how much data had been taken, or how many American citizens were caught up in the breach. The agency said alerted Congress and said it was "closely monitoring" the subcontractor's associated work.
CBP said that none of the info had been spotted on either the dark web or the public internet, although the company in question might have had at least one leak. Officials inadvertently mentioned the border crossing tech company Perceptics in their document title, and a Register report in late May indicated that data from the firm was available for free on the dark web. It's not certain if that info is associated with the CBP's breach.
The incident underscores a common problem with database security: it's only as safe as the weakest link in the chain. If a contractor leaves data vulnerable, it doesn't matter how airtight the government's own practices are. And that raises concerns about plans for facial recognition at airports. Officials have vowed to limit access to image data, but it could only take a momentary lapse in security to compromise a vast library of sensitive images.