US customs data breach exposes travellers’ photos

A US Customs and Border Protection (CBP) subcontractor has announced a data breach.

The agency first learnt of the cyber attack on May 31, where by images of vehicles and travellers entering and leaving the US had been compromised.

In a statement CBP said:

“CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorisation or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network.”

None of the stolen data has yet to be found on the dark web according to the agency, however the data could be traded on closed forums. Additionally it is believed that the data compromised covered tens of thousands of travellers for a period over a month.

CBP have not officially revealed the name of the contractor however the title of a statement sent to the Washington Post, contains the name “Perceptics”, a firm that supplies license plate reading services for the government.

The breach raises concerns as to why the data was being gathered and stored.

Pierluigi Stella, CTO of Network Box USA asked:

“Why did this contract move all our face pictures to their network?  What were they trying to do with that data?”

Unfortunately, despite the data breach, consumer rights are limited even with the new California privacy law (CCPA).

Robert Cattanach, a partner at the international law firm Dorsey & Whitney argued:

“Unless a traveller can prove that they have been harmed somehow by the disclosure of their information and location at a border of airport there is very little anyone can do once their information has been stolen, and then often made available on the dark web. US Courts have been reluctant to award damages absent a showing of specific and concrete harm.

“The CCPA does not apply to the US government, and more robust federal privacy protections have been repeatedly stalled in Congress. Rapidly evolving technology that collects vast amounts of individual data, coupled with the dramatic cultural differences between various countries that collect it, make this an even more challenging problem for individuals and their political systems to reconcile.”

The largest data protection, privacy and security event of 2020, now available on-demand!

Featuring four whole days of keynote sessions, panel debates, and an opportunity to network and chew over all things data-related through discussions in public boards and virtual booths, PrivSec Global is now available to watch on-demand.

You can access the content from all four days, by registering for access to our PrivSec Global platform below.

Learn More and Register

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.