Pixel Envy

Written by Nick Heer.

License Plate Reader Data From Perceptics and CBP Photos of Travellers Leaked in Likely Related Breaches

Thomas Claburn, reporting two weeks ago for the Register:

Tennessee-based Perceptics prides itself as “the sole provider of stationary LPRs [license plate readers] installed at all land border crossing lanes for POV [privately owned vehicle] traffic in the United States, Canada, and for the most critical lanes in Mexico.”

In fact, Perceptics recently announced, in a pact with Unisys Federal Systems, it had landed “a key contract by US Customs and Border Protection to replace existing LPR technology, and to install Perceptics next generation License Plate Readers (LPRs) at 43 US Border Patrol check point lanes in Texas, New Mexico, Arizona, and California.”

On Thursday this week, however, an individual using the pseudonym “Boris Bullet-Dodger” contacted The Register, alerting us to the hack, and provided a list of files exfiltrated from Perceptics’ corporate network as proof. We’re assuming this is the same “Boris” involved in the CityComp hack last month. Boris declined to answer our questions.

Drew Harwell and Geoffrey A. Fowler, reporting today for the Washington Post:

Customs officials said in a statement Monday that the images, which included photos of people’s faces and license plates, had been compromised as part of an attack on a federal subcontractor.

[…]

CBP would not say which subcontractor was involved. But a Microsoft Word document of CBP’s public statement, sent Monday to Washington Post reporters, included the name “Perceptics” in the title: “CBP Perceptics Public Statement.”

There’s a lot wrong with this. It’s understandable why Customs and Border Protection would have all collected data stored in connected repositories, but it is inexcusable for this data to be unencrypted.

I also get why a contractor would be involved in creating this system, but it’s outrageous that the contractor would have general access to any data after implementation.

Anyway, that’s a lot to unpack before we even get to this part of Harwell and Fowler’s report:

One U.S. official, who spoke on condition of anonymity due to lack of authorization to discuss the breach, said it was being described inside CBP as a “major incident.” The official said Perceptics was attempting to use the data to refine its algorithms as part of a CBP-sanctioned pilot program to match up license plates with the faces of a car’s occupants, which the official said was outside of CBP’s sanctioned use. The official said data from travelers crossing the Canadian border was also included.

This paragraph is unclear in its specifics — how exactly can using data collected in a CPB-sanctioned program be outside of the sanctioned use of that data? I’m sure this makes sense in some way, but it isn’t explained here — but the gist of it is pretty awful. It’s one thing to collect records of individuals entering and leaving the country; it’s wildly different to train facial recognition to associate persons with vehicles and keep track of them, particularly as over half of Americans live in areas where CBP has extra authority.

My face is probably in this breach. Hooray and also sorry.