US Customs and Border Protection (CBP) has admitted a data breach at a sub-contractor has compromised images of individuals and vehicles entering and leaving the country.
The controversial agency first learned of the “malicious cyber-attack” on May 31.
“CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” it said in a statement.
“Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract.”
According to the agency, none of the stolen data has yet been spotted on the dark web, although it may be being traded on closed forums.
It’s believed that it covers tens of thousands of travellers for a period of over a month.
The name of the contractor is officially not being made public, although there are suggestions that it could be Perceptics, a firm that supplier license plate reading services for the government.
Robert Cattanach, a partner at the international law firm Dorsey & Whitney, argued that consumer rights in this area are limited, despite a new Californian privacy law designed to strengthen them (CCPA).
“Unless a traveler can prove that they have been harmed somehow by the disclosure of their information and location at a border or airport there is very little anyone can do once their information has been stolen, and then often made available on the dark web. US Courts have been reluctant to award damages absent a showing of specific and concrete harm,” he argued.
“The CCPA does not apply to the US government, and more robust federal privacy protections have been repeatedly stalled in Congress. Rapidly evolving technology that collects vast amounts of individual data, coupled with the dramatic cultural differences between various countries that collect it, make this an even more challenging problem for individuals and their political systems to reconcile.”