Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/11/2019
07:20 PM
100%
0%

Suppliers Spotlighted After Breach of Border Agency Subcontractor

Attackers increasingly use third-party service providers to bypass organizations' security. The theft of images from US Customs and Border Protection underscores the weakness suppliers can create.

US Customs and Border Protection (CBP) officials announced on Tuesday that an initial investigation into the breach of a subcontractor that maintains databases of photos indicated the leak involved images of fewer than 100,000 people. 

The announcement is the first assessment of the impact of the breach, disclosed by the border security agency on June 10. The incident involved a CBP contractor, which had — in violation of CBP policies — copied sensitive files of border crossings and stored images of license plates and travelers on an insecure computer. The agency stressed that its computer systems and infrastructure were not involved in the attack.

"Photographs were taken of travelers in vehicles entering and exiting the United States through a few specific lanes at a single land border Port of Entry over a 1.5 month period," CBP said in a statement. "No other identifying information was included with the images."

The breach is yet another incident reminding companies and government organizations to regularly assess the security of their suppliers. Earlier this month, LabCorp and Quest Diagnostics were notified by AMCA, their supplier of debt collection services, that information on nearly 20 million of their customers had been potentially compromised by attackers. And in April, Mexican media firm Cultura Colectiva inadvertently leaked 540 million records from Facebook users because it did not protect the Amazon S3 container on which it stored the data.

"It is critical that organizations prioritize the security and access controls of their vendors, providers, and partners," said Sherrod DeGrippo, senior director of threat research and detection at data security firm Proofpoint. "These groups regularly handle sensitive data and must be examined by organizations thoroughly as they have the same culpability as the organization itself."

DeGrippo recommends that subcontractors' security posture be regularly reviewed and threat profiles created to establish needed defenses.

CBP did not name the latest subcontractor. Yet earlier in May, an attacker breached the network of government contractor Percepsys, a maker of license plate scanning and recognition systems, posting more than 65,000 files online, according to a May 23 article in The Regster.

In its statement, however, CBP stressed it has not see any malicious use of the data to date. "As of today, none of the image data has been identified on the Dark Web or Internet," the agency's spokesperson said in a statement.

The breach notification comes at a time when the CBP is expanding its technologies used to track travelers, including facial recognition, license plate identification, and social media tracking. Pointing to the current breach, the American Civil Liberties Union (ACLU) called the plans dangerous because government agencies and their contractors cannot keep such information safe.

"This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices," said Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union, in statement. "The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place."

In 2015, the Office of Personnel Management discovered that the records of 25.7 million people had been stolen through a series of network intrusions, including into the systems of contractors.

In both breaches, because a government agency isinvolved and it is difficult to prove that the breaches caused harm, there will be little that consumers or citizens can do, said Robert Cattanach, a partner at the international law firm Dorsey & Whitney. 

"US Courts have been reluctant to award damages absent a showing of specific and concrete harm," he said in a statement. 

Governments are finding it difficult to create policy to deal with the rapid advancement of technology.

"Rapidly evolving technology that collects vast amounts of individual data, coupled with the dramatic cultural differences between various countries that collect it, make this an even more challenging problem for individuals and their political systems to reconcile," he said.

CBP is currently scrutinizing its subcontractor's investigation into the breach, the agency said.

"CBP has removed from service all equipment related to the breach and is closely monitoring all CBP work by the subcontractor," it said. "CBP requires that all contractors and service providers maintain appropriate data integrity and cybersecurity controls and follow all incident response notification and remediation procedures."

Related Content

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
6/12/2019 | 8:20:07 AM
An Isolated, secure computer
Isolate from the nework and internet - stand alone nothing attached.  Second, secure - epoxy over most usb ports if possible, pat down before using computer and when done, locked room.  Do these simple precautions and Bradley Manning would not have been able to steal data.  For this is not a breach but data theft pure and simple.  Oh, contractor firm goes bye-bye real fast with zero payment.  Breach of contract.  And I would lawsuit the issue too.  Cost of repairl 
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16404
PUBLISHED: 2019-10-21
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
CVE-2019-17400
PUBLISHED: 2019-10-21
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
CVE-2019-17498
PUBLISHED: 2019-10-21
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a ...
CVE-2019-16969
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2019-16974
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.