U.S. Sen. Mark Warner (D-VA) inquired about the information security practices of U.S. Customs and Border Protection contractors following a cyberattack that resulted in the theft of thousands of facial images of U.S. travelers.
The June attack led to the theft of at least 100,000 traveler ID photos from a CBP subcontractor, Supremo HQ, that Warner said had improperly transferred copies of these photos from CBP servers to its company database. In addition to facial images, the cyberattack resulted in the theft of several gigabytes of data, including license plate photos, confidential agreements, hardware blueprints for security systems, and budget spreadsheets.
Warner is seeking information from the CBP and the company it contracts with for cybersecurity, following the
“While all of the stolen information was sensitive and required protection, facial image data is especially sensitive, since such permanent personal information cannot be replaced like a password or a license plate number,” Warner wrote to Acting CBP Commissioner Mark Morgan. “It is absolutely critical that federal agencies and industry improve their track records, especially when handling and processing biometric data. Americans deserve to have their sensitive information secured, regardless of whether it is being handled by a first or a third-party.”
Warner expressed alarm regarding the failure of federal agencies to secure this sensitive information through its contractors. He asked CBP to answer questions regarding the information security practices of CBP contractors and subcontractors.
“Unlike passwords, email addresses, and phone numbers, biometric information in voices, fingerprints, and eyes are unique data that are impossible to reset. Biometric data can be used effectively for unauthorized surveillance and access to secure facilities, to steal identities, and is even valuable in developing deepfake technologies,” Warner wrote to Suprema HQ CEO James Lee. “It is my understanding that your customers use your biometric security system to provide access to secure facilities, and that the product has also been integrated into Nedap’s AEOS access control systems, which are used by at least 5,700 organizations in 83 countries, including banks and foreign law enforcement entities. Given the sensitivity of this information, it is absolutely critical that companies like yours exercise exceptional due care when collecting and securing biometric information, and when contracting with customers that collect permanent personal information.”
The breach resulted in the online exposure of more than 1 million fingerprint records, in addition to user images, personal details, usernames and passwords, and employee security clearances. It revealed that large portions of the database were unprotected and unencrypted.