A review of a facial recognition technology pilot scheme conducted by US Customs and Border Protection (CBP) has found that sensitive biometric data was not adequately protected.
The Vehicle Face System was trialed last year by CBP. A major cybersecurity incident occurred when subcontractor Perceptics, hired to work on the pilot, transferred copies of CBP's biometric data to its own company network.
The subcontractor obtained access to this data between August 2018 and January 2019 without CBP’s authorization or knowledge. Later in 2019, the Department of Homeland Security experienced a major privacy incident, as the subcontractor’s network was subjected to a malicious cyber-attack.
Subsequently, CBP data, including traveler images from CBP’s facial recognition pilot, appeared on the dark web, triggering a review by the Office of the Inspector General (OIG).
The data breach compromised approximately 184,000 traveler images from CBP’s facial recognition pilot. At least 19 of the images were later posted to the dark web.
In the review, published on September 21, the OIG found "CBP did not adequately safeguard sensitive data on an unencrypted device used during its facial recognition technology pilot."
The OIG also found that Perceptics staff "directly violated DHS security and privacy protocols when they downloaded CBP’s sensitive PII from an unencrypted device and stored it on their own network."
Perceptics' actions went against a Department of Homeland Security stipulation that requires subcontractors to protect personally identifiable information (PII) from identity theft or misuse.
The OIG made a series of recommendations to the CBP that included implementing USB device restrictions, applying enhanced encryption methods, and routinely assessing third-party equipment supporting biometric data collection to ensure partners' compliance with Department security and privacy standards.
Congress used the FY 2016 Consolidated Appropriations Act to provide CBP with up to $1bn in funding over a 10-year period to develop a biometric entry-exit solution that will monitor travelers to and from the United States.
To date, CBP’s Biometric Entry-Exit Program Office has focused primarily on air departures, starting with a pilot program at nine airports across the country in 2017.
As of April 2019, CBP had processed 19,829 flights and 2.8 million travelers across 19 airports through its biometric program.