The Washington PostDemocracy Dies in Darkness

Border-surveillance subcontractor suspended after cyberattack revealed sensitive monitoring details

The San Ysidro border checkpoint in San Diego, shown in 2017, is one of dozens monitored along the border by Perceptics surveillance equipment. (David Maung/EPA-EFE/Shutterstock)

The longtime maker of license-plate scanners and other surveillance equipment used along the U.S. border was suspended Tuesday from federal contracting by U.S. Customs and Border Protection officials, who cited “evidence of conduct indicating a lack of business honesty or integrity,” federal records show.

The rare punishment temporarily prevents the longtime contractor, Perceptics, from doing business with the federal government and could land the company on a years-long government blacklist.

Perceptics was attacked by an unknown hacker and had much of its internal data — including images of travelers’ faces and license plates, surveillance-equipment schematics and sensitive contracting documents — made available for download on the open Web.

When it announced the “malicious cyberattack” last month, CBP declined to name which subcontractor had been hacked. The federal documents Tuesday identified the company being suspended as Perceptics and identified CBP as the “excluding agency.”

CBP did not say why it had suspended Perceptics’s contract. When it initially announced the hack, CBP said an unnamed subcontractor had transferred copies of license-plate and traveler images onto its private network in violation of agency rules.

Such suspensions are highly unusual and generally come only after an accusation of major wrongdoing, such as an indictment against executives or a crime against the government, said Angela Styles, a government-contracts lawyer at the Washington firm Akin Gump.

Suspensions or debarments, a more severe penalty, are often imposed on companies that commit fraud, embezzlement, obstruction of justice, bribery or other crimes “of so serious or compelling a nature” that they correlate “with a lack of present responsibility,” CBP documents state.

Perceptics said in a statement late Tuesday that it has an “an unblemished record” and remains “committed to working collaboratively with CBP to address any and all concerns.”

"Perceptics and its management categorically denies any illegal or unethical behavior, and we stand ready to meet to discuss this with the government in any setting, and to demonstrate our support of the CBP mission,” the statement said.

CBP did not respond to requests for comment.

The suspension is a crushing blow to one of the central cogs of the U.S. border-surveillance machine and comes at a time of growing questions over CBP conduct, security and oversight. Lawmakers and civil rights advocates said the breach illustrates the danger of the federal government’s reliance on private companies to collect and stockpile sensitive data on people’s locations and identities.

Hacked documents reveal sensitive details of expanding border surveillance

Perceptics has worked with CBP for nearly 30 years, designing and building the automated license-plate readers that officials use to scan every car, bus, truck and motorcycle crossing the American border. The Tennessee-based company said in 2015 that it was the sole provider of license-plate scanners for passenger vehicle inspections “at all land border ports of entry in the United States, Canada and at the most critical lanes in Mexico.”

It is unclear how the suspension will affect security or surveillance systems at U.S. border checkpoints. CBP said none of its systems were compromised in the cyberattack.

Perceptics will face upcoming administrative proceedings to determine whether the company should be debarred, meaning prohibited for an extended period from working for the federal government. The proceedings are not public, and a suspension and debarment official for CBP will make the final decision as to Perceptics’s future contracting.

Styles said the company will have a chance to defend itself and could emerge from the proceedings with the ability to return to federal contracting. But in the meantime, the company will not be able to do any business with the federal government — a devastating hit for the longtime contractor, which widely promotes its scanner systems for use at border crossings, highway safety checkpoints and toll-road gates.

A review of the hacked documents indicated that Perceptics also has done work for the Drug Enforcement Administration and the U.S. military.

A debarment could last several years and would prevent the company from entering into any new prime contracts or subcontracts. Debarred companies are often shunned by other firms discouraged by the loss of contracting work, Styles said.

CBP is involved in suspension proceedings with just one other company besides Perceptics, federal documents show. The agency has marked only seven companies as ineligible for new contracts in the past five years.

Perceptics has worked with a number of other national clients, including Canadian border officials, who told CBC News last month that they would continue using Perceptics equipment but were pressing for a “full forensic investigation.” The Canada Border Service Agency did not respond to requests for comment.

Perceptics had welcomed CBP officials for an office tour as recently as April, the breached documents show.

U.S. Customs and Border Protection says photos of travelers were taken in a data breach

The hack exposed detailed records about sensitive CBP contracts worth hundreds of millions of dollars and included precise details on the surveillance hardware used at massive ports of entry between the United States and Mexico, including San Diego’s San Ysidro checkpoint, one of the busiest border crossings in the world.

The documents were posted to a secretive region of the Internet known as the “dark Web,” where they were downloaded and reviewed by The Washington Post. The documents have also been reposted onto the broader Web by Distributed Denial of Secrets, a “transparency collective” that posts leaked or hacked material.

A dark-Web directory of the files credits the attack to Team Snatch, a cybercriminal group that says it specializes in corporate hacks and extortion. A hacker with the team, using the pseudonym “Boris Bullet-Dodger,” told The Post over encrypted email that the team had gained access to Perceptics’s computer systems for four months and had demanded a ransom payment but that Perceptics “broke their side of the bargain.”

The hacker wrote, “I never meant to complicate border authorities or government” and blamed the hack on Perceptics executives, who the hacker said had “gone rogue.”

“I hope now all clients [of] Perceptics will be carefully selecting a supplier,” the hacker wrote. Those comments could not be independently verified.