U.S. Customs and Border Protection (CBP) did not adequately safeguard sensitive data on an unencrypted device used during its facial recognition technology pilot (known as the Vehicle Face System). A subcontractor working on this effort, Perceptics, LLC, transferred copies of CBP’s biometric data, such as traveler images, to its own company network. The subcontractor obtained access to this data without CBP’s authorization or knowledge, and compromised approximately 184,000 traveler images from CBP’s facial recognition pilot. Later in 2019, the Department of Homeland Security experienced a major privacy incident, as the subcontractor’s network was subjected to a malicious cyber attack. While CBP and DHS took immediate action to mitigate the data breach, we attribute this incident to the subcontractor violating numerous DHS security and privacy protocols for safeguarding sensitive data. Consequently, this incident may damage the public’s trust in the Government’s ability to safeguard biometric data, and may result in travelers’ reluctance to permit DHS to capture and use their biometrics at U.S. ports of entry. We made three recommendations to aid CBP in addressing the vulnerabilities that caused the 2019 data breach, and to better mitigate future incidents through greater oversight of third-party partners. CBP concurred with all three recommendations.
- Executive SummaryReport NumberOIG-20-71Issue DateDocument FileDHS AgencyKeywordsFiscal Year2020
- Executive Summary
In 2017, CBP made considerable progress developing and implementing a biometric capability to track air passenger exits using facial recognition technology. CBP’s Biometric Entry-Exit Program conducted a pilot at nine airports and demonstrated ability using this technology to match 98 percent of passengers’ identities at departure gates. However, During the pilot, CBP encountered various technical and operational challenges that limited biometric confirmation to only 85 percent of all passengers processed. These challenges included poor network availability, a lack of dedicated staff, and compressed boarding times due to flight delays. Further, due to missing or poor quality digital images, CBP could not consistently match individuals of certain age groups or nationalities.Report NumberOIG-18-80Issue DateDocument FileDHS AgencyOversight AreaKeywordsFiscal Year2018