San Diego

Traveler, License Plate Images Breached in Cyber Attack: CBP

CBP has reached out to members of Congress, other law enforcement agencies, and cyber security entities as part of its investigation of the incident

U.S. Customs and Border Protection said that as of Monday no traveler or license plate image data accessed during a May 31 cyber attack has appeared on the dark web or internet.

According to CBP, a subcontractor transferred copies of traveler and license plate images to their company network which was subsequently breached.

The subcontractor transferred the images without the agency’s knowledge or authorization, CBP said.

CBP has reached out to members of Congress, other law enforcement agencies, and cyber security entities as part of its investigation of the incident. The CBP’s Office of Professional Responsibility is also involved in the investigation.

The agency said the subcontractor “violated mandatory security and privacy protocols outlined in their contract.

“Government use of biometric and personal identifiable information can be valuable tools only if utilized properly. Unfortunately, this is the second major privacy breach at [the Department of Homeland Security] this year. We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public. I intend to hold hearings next month on Homeland Security’s use of biometric information,” Rep. Bennie G. Thompson (D-MS), Chairman of the Committee on Homeland Security, said in a statement.

CBP said none of its own systems were compromised, and has taken all of the equipment related to the breach out of service.

An expert told NBC 7 that traveler photos, which like fingerprints fall under the umbrella of biometric data, are extremely valuable to hackers, especially as the use of facial recognition technology becomes more widespread.

Eva Velasquez with the Identity Theft Resource center said the black market for biometric data is relatively unestablished, but it's likely it won't stay that way for long.

“These things, they stay in perpetuity," Velasquez said. "It's not going to disintegrate. So even in this moment, if there isn’t a way to monetize, that doesn’t mean 10 years from now that might not be more valuable.”

According to Velasquez, thieves can create profiles of people using biometric data and combine them with other information about you -- financial or personal records obtained in other breaches, for example. The more information they have, the more valuable their profile of you becomes.

“The fact that it's not on [the dark web] means that its not currently being sold, but I also don’t want people to think, 'Well that means there's no harm for me in the future,'” Velasquez said.

Anyone who fears their personal information is at risk can get free help from the Identity Theft Resource Center.

No other information was available.

Please refresh this page for updates on this story. Details may change as more information becomes available.

Contact Us