Those systems were later hacked, held for ransom and had their contents posted online, triggering an emergency response inside CBP and exposing confidential agreements, hardware schematics and other records the government has long sought to keep under wraps. Border officials did not learn of the cyberattack until three weeks after the breach was first discovered, according to timelines provided by the company and CBP.
The breach cast a spotlight on a troubling fact for federal lawmakers and privacy advocates: The privately maintained surveillance systems that the government relies on for its wide-reaching security mandate are expanding so quickly, and often without oversight, that it can be hard for the public to keep track.
Members of Congress this summer expressed fury at the breach and said it made them question the risks of the country’s surveillance infrastructure, which includes new facial-recognition systems being installed at U.S. airports and used by federal investigators and local police.
“The federal government does not have a great track record securing America’s personal data,” House Homeland Security Committee chairman Rep. Bennie Thompson (D-Miss.) said at a hearing in July.
A CBP contractor for nearly 30 years, Perceptics was suspended from federal contracting in July for what CBP officials said was “evidence of conduct indicating a lack of business honesty or integrity.” But in an agreement between CBP and Perceptics officials made public Thursday, the company will be able to resolve its suspension and return to federal work as long as it abides by a number of security reforms.
In the agreement, signed by CBP and Perceptics officials last month, CBP said Perceptics’ breach of data collected from license-plate scans was “completely unacceptable” but not unethical or illegal. The agency said it would lift the suspension “only with adequate assurance that doing business with Perceptics does not pose an undue risk.”
But the agreement filings also highlighted some potentially concerning gaps for the government’s other private surveillance contractors. Perceptics said in a filing to CBP that there was “no evidence” the government had ever reviewed the security requirements of its computer systems. The company also said it could not alert the people whose data was taken and distributed by attackers, because it has “no ability to confirm identity or reach out to individuals contained within images.”
CBP officials said the agreement was designed to address potential risks and strengthen security while allowing the company to continue work.
Perceptics did not respond to requests for comment.
Perceptics agreed to implement dozens of new privacy and security reforms, including safeguarding sensitive data, training workers to respond to threats and building new defenses against cyberattacks, before it would become eligible to work again with sensitive government information. A company timeline suggested many of those reforms had already been implemented or would be effective in the coming months.
The company also agreed to appoint an officer overseeing the security measures, pay for an independent monitor to evaluate its compliance, establish an anonymous employee hotline for reporting violations, and give CBP officials regular updates on its progress.
Dave Maass, a researcher studying government surveillance for the Electronic Frontier Foundation, said the episode helped highlight the privacy risks of the government’s monitoring of personal data on a vast scale. He also said Congress should urge the agencies and contractors to be more transparent when future breaches occur.
“It’s easier for CBP to stick with the status quo rather than re-engineering their entire surveillance apparatus,” he said. “But it’s also disappointing. I’d like to see agencies — when they find the technology they’re dealing with is vulnerable, and that the contractors have acted irresponsibly — revisit not just who they’re contracting with but how they use the technology in general. … Bigger and bigger breaches are going to happen.”
A hacker using the pseudonym “Boris Bullet-Dodger,” who posted the stolen materials on a publicly available “dark web” site, said in emails to The Washington Post this summer that they had gained access to Perceptics’ computer systems for roughly four months and demanded a ransom.
Neither the company nor CBP have provided details on how Perceptics’ systems were penetrated, or why the government was so delayed in learning of the breach in the first place.
Perceptics told CBP in the agreement filings that the company had notified the tech firm Unisys, a major government contractor for which Perceptics was doing work, “upon recognition that the breach and ransom were confirmed credible.” It’s unclear how, when or whether Unisys communicated the breach to CBP.
Unisys, which declined to comment this week, said in July that it was “aware of the Perceptics cybersecurity incident” but could not comment further due to the ongoing investigation.
CBP officials said the FBI continued to investigate the breach. The FBI would not confirm or deny the investigation.
Perceptics’ systems gather data on people crossing into the U.S. legally at many of the country’s largest border checkpoints, including the San Ysidro Port of Entry, where roughly 70,000 vehicles and 20,000 pedestrians cross into the U.S. every day.