U.S. Customs and Border Protection collects a trove of data about travelers including photos, fingerprints, and details about social media accounts. Officials argue that the information helps prevent terrorists from entering the country, but it also opens the door to a serious problem: Hackers
The CBP hammered the point home on Monday by disclosing a breach of as many as 100,000 license plate photos and images of travelers at one point of entry.
Cybersecurity experts say it all comes down to a simple rule: The more data someone collects, the bigger the target it is for theft. As law enforcement begins to deploy and depend on new technology, such as facial recognition, it will have to walk a fine line in balancing innovation with privacy.
“Law enforcement at all levels will always be a prime target for anyone seeking to disrupt our society and profit from our residents,” says Tim Mackey, principal security strategist at cybersecurity firm Synopsys.
In terms of the newly disclosed hack, a CBP spokesperson says its system was never breached. Instead, hackers are believed to have taken the information from a contractor that had uploaded the photos to its server without permission. CBP has declined to disclose that company’s name. But in an initial email sent to the Washington Post, CBP’s subject line said “CBP Perceptics Public Statement,” pointing the finger at Perceptics, a license plate reading company based in Farragut, Tenn. The Register reported a Perceptics breach last month, falling in line with CBP’s response that it learned about the breach on May 31, however there hasn’t been a public statement connecting those incidents.
On its website, Perceptics details its security products, including technology that allows law enforcement to evaluate information and intelligence from about vehicles trying to gain access or leave the country. The company also touts how its technology can reduce the time needed for data entry, so officers “can spend their time focusing on the vehicle’s occupants and contents.”
A representative from Perceptics did not immediately respond to a request for comment.
Mackey says the breach shows how hackers are savvy enough to go after the “weakest link,” which in this case, was a contractor.
The stolen photos are believed to have been taken over the span of one and a half months, and in a few specific lanes at a U.S. border crossing. A CBP official declined to disclose the port of entry where the photos were taken, but said none of the stolen data has been found on the dark web, a place where hackers typically go to sell stolen information.
“CBP continues to actively investigate the incident and will take additional appropriate actions once the investigation is complete,” a CBP spokesperson told Fortune. “In addition, CBP and federal authorities will continue to monitor for any unauthorized disclosure of the information involved in this incident.”
The breach comes after members of the House Committee on Oversight and Reformheard from privacy experts last month, who called on Congress to regulate facial recognition technology, citing civil rights concerns, and the potential for that data to be hacked and misused.
“This becomes a particularly challenging problem for law enforcement as technological innovations often outpace privacy legislation,” says Mackey.
Last month, San Francisco banned law enforcement and other city departments from using facial recognition technology. However, other cities, and the federal government, are moving to adopt the technology for more chores in the future.
For example, the Department of Homeland Security says it plans to use facial recognition technology on 97% of passengers departing from the U.S. within the next four years. There’s currently no law stopping the agency from doing so.
Rep. Bennie Thompson, a Democrat from Mississippi who serves as the chairman of the House Homeland Security Committee, says the CBP breach is concerning. It’s the second time this year that DHS has reported a data security problem.
In March, DHS said that the Federal Emergency Management Agency mistakenly released personal information of 2.3 million survivors of 2017 hurricanes and wildfires to a contractor.
“Government use of biometric and personal identifiable information can be valuable tools only if utilized properly,” Thompson said in a statement. “We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public.”
While biometric data can help in certain situations, Mackey says more transparency will be necessary as law enforcement leans on technology to make policing decisions.
“The key here is transparency. It should be clear to citizens what CBP collects in the execution of its mandate, how long the data is retained, and under which conditions it will be transferred outside of CBP control,” Mackey says.