If you crossed the southern border of the U.S. into Mexico by car recently, your license plate information may have been compromised. Officials at U.S. Customs and Border Protection (CBP) said they were the victims of a “malicious cyberattack” that compromised around 100,000 license plate images. In a statement given to the press, CBP indicated, “none of the image data has been identified on the dark web or internet.” Those responsible for the cyberattack exploited a significant “hole” in cybersecurity, one faced by any company or agency that utilizes subcontractors and supply chains—they do not control the security used by subcontractors and third-party vendors. In the CBP cyberattack, a vendor in the image reader software supply chain downloaded the license plate images without authorization. The vendor’s network was then hacked, and the images were stolen from the vendor’s network.
As the Times noted, there is little value to thieves looking for financial exploitation. The dangers come from potential tracking that license plate images provide to CBP and any entity that surveils individuals. Perhaps not ironically, just weeks earlier, privacy advocates (who support banning facial recognition scanners) testified before the House Committee on Oversight and Reform. The Hearing dovetails into a larger push by Homeland Security to scan all passengers at 20 of the nation’s largest airports. Irony and coincidence aside, the hole in CBP supply chain security is a classic case study on the potential dangers of incomplete supply chain security. While few question the need for surveillance at border crossings and airports, the public should feel secure in knowing the government is not abusing its surveillance capabilities.
Going forward, high-profile targets such as border crossings and airports should be required through regulation to provide security all along the supply chain. The CBP attack is illustrative of a “passing the buck” mentality that puts our PII at risk. While some required supply chain security can be addressed with automation and logistics software applications, other aspects (such as policy surrounding access and use) should be addressed as part of a larger IG strategy.