Hackers have hit the US Customs and Border Protection (CBP) agency, accessing photos taken of travellers and their cars as they moved through road entry points.
Nearly 100,000 people had their images exposed, which included photos of license plates and the cars they were driving.
It’s always unnerving when cybercriminals find a way into systems run by law enforcement, but according to CBP, no passport details or facial recognition images (currently gathered at US airports) were compromised.
Attackers focused on one of the CBP’s sub-contractors, which was holding the images on its own IT systems. The breach comes just as CBP is expanding its programme of facial recognition, and collection of more detailed traveller data.
It isn’t clear why the un-named company held the data on its systems, but the CBP says it believes they ‘…violated mandatory security and privacy protocols outlined in their contract.”
Penalties for the supplier could be severe.
CBP says its removing software and devices related to the breach, and auditing all work completed by the sub-contractor. It’s notified other law enforcement agencies and asked its own internal affairs office to investigate the incident.
Supply Chain Vulnerabilities
‘No CBP systems were compromised in the attack,’ said a statement from the agency. “The subcontractor’s network was compromised.”
That explicit shifting of blame downward is significant.
While there may have been a time when large organisations would (reluctantly) assume some of the responsibility for data security across their supply chains, tolerance for failure is rapidly disappearing.
Businesses are now being held to account by regulators and customers for the actions, or negligent inaction, of suppliers.
Study after study tells us that customers will abandon a brand after a major breach. Consumers now judge companies on how reliably they protect personal data.
It doesn’t matter if the breach happens on a supplier’s systems. The brand that contracts the supplier and gives it access to customer data gets the blame.
Retail and finance organisations can suffer a lingering sales drop after a breach, with a third of consumers saying they will take their business elsewhere.
Failure to comply will cost you
On the regulatory front, privacy protection has become a major policy focus.
In addition to GDPR on this side of the pond, all US Federal Government contractors and sub-contractors now have to comply with a 2018 directive called NIST SP 800-171.
It addresses the protection of ‘Controlled Unclassified Information’ or CUI, and the cybersecurity measures required to keep it from falling into the wrong hands.
CUI is data which is sensitive, but not classified. A contractor would normally only hold it in order to fulfill their responsibilities on government projects.
It seems that in this case, the sub-contractor didn’t need to store images in a non-government IT systems. They did so anyway.
Your data is out there
As more and more detail from our lives is curated on social media, as more business is transacted online, and as video and surveillance technology advances, the opportunities to collect and analyse personal data grows exponentially every year.
Governments are ramping up the amount of information they hold on individuals. Access to that information is shared between government departments, agencies, and a long list of suppliers.
We often point the finger at nation state actors like China and Russia for violating privacy or looking to steal private info, but in the cyber surveillance game, pretty much everyone is at it.
- After 9-11, America’s NSA created a programme that’s collected data on millions of Americans.
- The WannaCry ransomware that exploded on corporate systems in 2017 was created in North Korea, but adapted from powerful spying software developed by America’s own National Security Agency (NSA).
- Our own GCHQ operates a programme called ‘Tempora’ that taps and monitors the 10 gigabits per second of data travelling over fibre-optic cables in and out of the UK.
Personal privacy is an obvious concern, as is the possibility of identity theft should detailed data about us fall into the wrong hands.
Perhaps the American Civil Liberties Union was correct when it commented that:
…The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place.
But until the current direction of government policy and legal protections changes, companies and individuals need to adopt measures that will minimise how much information about us can be accessed and mis-used.
Raise security awareness – up and down the supply chain
Whether it’s your own organisation or one you contract out to, every link in a private or public sector supply chain needs to take ownership of cybersecurity, and protect all the sensitive data it stores, receives, or transmits.
Systems need to have the latest technological defences, but systems can be breached.
Organisations need to supplement information security investments by empowering their own people to be on the lookout for cyber attacks and the signs that a hacker is trying to breach corporate networks or personal devices.
Cyber risk as a daily management challenge and enlisting your own people to help is the most effective way to stay secure.
Want to know more about security awareness training? Why not sign up for a free demo and find out how we’re already helping government and public sector organisations dramatically improve employee security awareness.