The data breach, announced last year, exposed about 184,000 traveler images from CBP’s facial recognition pilot, according to the report by the Department of Homeland Security Inspector General.
As VentureBeat notes, one fresh takeaway from the report is confirmation that data from the breach ended up on the dark web. Although the CPB had originally declined to comment on that question, the inspector general found that at least 19 images were posted online.
According to the inspector general, a subtractor, Perceptics, downloaded copies of the CPB’s biometric data onto its own servers, which were then compromised due to a “malicious cyber attack.” While Perceptics employees broke security rules when they copied the data to the company’s network, the inspector general determined that the CPB’s cybersecurity practices were “inadequate to prevent the subcontractor’s actions.”
“This incident may damage the public’s trust in the government’s ability to safeguard biometric data and may result in travelers’ reluctance to permit DHS to capture and use their biometrics at U.S. ports of entry," the inspector general wrote in the report.
According to a blog post by TechDirt, while the CBP has promised to follow the inspector general’s recommendations going forward, the vast amount of data collected by the agency—and other government entities—will continue to make it look appealing to cybercriminals.
Another federal watchdog, the Government Accountability Office, also criticized the CBP in a recent report. As TechCrunch explains, the GAO found that the agency failed to properly inform Americans that they could opt out of facial recognition scanning at airports.
According to CNN, the Perceptics data breach also resulted in at least 50,000 American license plate numbers surfacing on the dark web.