Photos of 100,000 Travellers Stolen in CBP Data Breach

On Monday, the U.S. Customs and Border Protection agency confirmed that photos of up to a 100,000 travellers have been exposed in a data breach.The U.S. government has strict guidelines on protecting sensitive data, so how could this have happened - and how can you prevent a data breach in your organisation?

 US law enforcement vehicle on US-Mexico border

The Customs and Border Protection agency takes photos of cars passing through border control checkpoints, recording images of the passengers and license plates of each vehicle. While there are legitimate security concerns that make this a sensible practice, it does raise the serious issue of protecting people’s privacy.

How could the leak have been prevented?

The first rule of preventing data leaks is to not collect any unnecessary private information. While there is little chance of convincing U.S. Border Control to collect less information on people passing through the border, it is still a lesson that other organisations should keep in mind.

Having collected the sensitive information already, however, it’s essential to take steps to prevent it from falling into the wrong hands. The CBP no doubt takes data privacy seriously, but what ended up causing the photos to be exposed was a classic mistake - they handed the data over to a subcontractor.

There’s nothing inherently wrong with handing over data to subcontractors, but if you are giving them sensitive information - like the photos and license plate images of almost 100,000 people - it’s essential that you ensure their data protection and cyber security practices are up to scratch.

How the data became exposed

The subcontractor involved ended up falling prey to a malicious cyber attack, which left the photos and other data in the hands of cyber criminals. The unfortunate thing in this case - as in almost any major data breach - is that this could all have been easily avoided.

In violation of its agreement with CBP and its own cyber security policies, the subcontractor allowed the traveller data to be passed into its own company network. For someone not completely on top of cyber security concerns, this may not seem like an issue at all - after all, if a company is to hold data, surely it can’t be a problem to share this data through the company’s own network?

Why sensitive data needs to be kept separate

Sensitive data needs to be protected from exposure in a far more serious manner than most data that passes through company networks. If you allow sensitive data to mix with other data on the network, it suddenly becomes exposed to anyone with access to the network at all - which can be a lot of people.

When working with sensitive data, limiting exposure is always key. While you may trust everyone within the company network, every new access point to data creates a higher risk of it being leaked. In this case, a single cyber attack on the company network - which may otherwise have been a minor annoyance - resulted in almost 100,000 people having their photos and license plates leaked.

The lesson here is a classic one: if you control sensitive information, only allow access to those who actually need it - and only if they will abide by this same rule.

Want to ensure that there will never be an embarrassing headline about a data leak from your organisation? Empower your employees as a cyber security asset with our individually-tailored online security awareness training.