Approximately two weeks ago in a June 10 announcement to the media, U.S. Customs and Border Protection stated that photographs of up to 100,000 individuals traveling through one of its checkpoints on the U.S.-Canada border – and their license plates – had been compromised as the result of a maliciously perpetrated data breach. The agency was fairly restrained in its explanation of what had happened, saying it was the result of a cyberattack against one of its data management subcontractors and that CBP law enforcement networks had not been penetrated. At the time, there was no concrete proof that CBP's characterization of the breach had been either intentionally or accidentally deceptive, though some in government and the cybersecurity world did express dubiousness as to the agency's veracity.
New reporting has revealed that the breach of CBP's systems was far more substantial than agency spokespeople had admitted. According to The Washington Post, anyone with reasonable computer savvy who knows where to look on the internet can find comprehensive details of American border security technologies – and, in theory, exploit those systems for any number of malicious ends. Hacks on this scale are something every organization should fear, especially since they can originate from issues as seemingly minuscule as using Java or other open-source programming languages for legacy application modernization and development.
The full scope of the CBP hack
Perhaps most bizarre in this story of web-based malfeasance is that it remains unclear exactly how the hack was perpetrated – whether it was via phishing, direct-denial-of-service or some other penetration tactic. (Ransomware is less likely, as no reports of a monetary demand posed to CBP have come out, but not entirely outside the realm of possibility.) Additionally, the Register reported that a vast amount of data stolen from Perceptics, the software firm providing license-plate recognition services to CBP, had surfaced as early as May 23, a week before the Homeland Security agency learned about the hack and almost three weeks before it publicly announced the breach. The only clue helping to explain hackers' ability to attack Perceptics was that the CBP subcontractor had, in the department's words, ignored its contract and stored checkpoint photos of license plates and drivers on its own servers, but it's debatable whether federal servers would have been safer.
Per the Post's reporting, which surfaced June 21, all of the material illegally obtained in the CBP data breach is available as a series of bulk files totaling hundreds of gigabytes, the full download of which would likely require several days. Equipment schematics, budgets, blueprints, prototype photos, confidential agreements between CBP and Perceptics and details of security systems at numerous border checkpoints (abutting both Canada and Mexico) and American military bases are included throughout these data caches. Additionally, the breaches revealed Perceptics' significant work on behalf of not only CBP and other federal law enforcement agencies but also the U.S. military – and armed forces in Saudi Arabia and the United Arab Emirates.
Agency's damage-control efforts raise further questions, concerns
All of the details noted above stand in stark contrast to CBP's initial description of the cyberattack, an account that seemed nonplussed: "CBP learned that a subcontractor, in violation of CBP policies and without CBP's authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor's company network," the department stated, as was cited June 10 by TechCrunch.
The Washington Post staff's findings make it clear that the account above was at the very least reductive, albeit not necessarily deliberately so. In addition to the descriptions of Perceptics' work already described, the leak included nondisclosure agreements between Perceptics and Northrop Grumman (as well as Microsoft), internal procedural documents from the Department of Homeland Security and highly sensitive diagrams with certain critical details of American border security resources. Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology, a nonprofit public-sector infosec think tank, explained just how serious this information's leak is to the Post in an interview.
"This is red meat for [Perceptics] competitors … [and] a whole set of domestic and foreign terrorists and criminals who might want to use that information," Hall said to the news provider. "This is a pretty stark view into one of the cogs of the U.S. surveillance state, [and federal agencies] may have to change some of that operational stuff pretty quickly before people take advantage."
Information privacy advocates were alarmed not only by the exposure of travelers' information but also the fact that CBP was using certain technologies to gather Americans' data without being open about doing so.
The urgency of cybersecurity
No matter the size of your organization or what it does, the importance of protecting your vital data cannot be understated. This doesn't simply mean applying firewalls and traditional anti-virus tools, but also investigating the methods you're using for automated data processing and other essential tasks. If the infrastructure you employ in the processes of handling these matters is weak in and of itself, you could be inadvertently facilitating malfeasance no matter what.