After photos of travelers and vehicles crossing U.S. borders were nicked from a Customs and Border Patrol (CBP) subcontractor through a cyberattack, and Suprema BioStar 2 exposed more than 1 million fingerprint records along with facial recognition information and other sensitive data, Sen. Mark Warner, D-Va., pressed CBP for details on how it ensures third-party contractors are following security best practices.
“While all of the stolen information was sensitive and required protection, facial image data is especially sensitive, since such permanent personal information cannot be replaced like a password or a license plate number,” Warner wrote in a letter to Acting CBP Commissioner Mark Morgan. “It is absolutely critical that federal agencies and industry improve their track records, especially when handling and processing biometric data. Americans deserve to have their sensitive information secured, regardless of whether it is being handled by a first or a third party.”
In June, the agency said in a statement it had “learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network.” The incident raised questions: Why did the contractor move “all our face pictures to their network? What were they trying to do with that data?” Pierluigi Stella, CTO of Network Box USA, said at the time. “I have problems with the government keeping that information; I definitely have big issues with a private corporation doing so. Someone here needs to explain to us why that data was moved to the network of a private government subcontractor...”
The incident came as CBP sought “to expand its massive face recognition apparatus and collection of sensitive information from travelers, including license plate information and social media identifiers” and underscored “the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices,” American Civil Liberties Union (ACLU) Senior Legislative Counsel Neema Singh Guliani said in June.
Warner wrote that he’d “frequently pointed out the derisory state of third-party contractor and subcontractor information security practices and management in industry and across government.”
The Suprema breach in August sounded the alarm that organizations must “be vigilant about how they outsource their customer and employee data and how that data is stored and processed,” Panorays co-founder and CEO Matan Or-El, said at the time. “Organizations need to ensure that their suppliers and business partners are on par with the organization’s own security standards and continuously uphold their suppliers to that standard. This should be part of their supplier management process, including vetting and continuously monitoring these suppliers to take action on any change in the security.”
That’s exactly Warner is pushing for. Noting that it’s “absolutely critical that federal agencies and industry improve their track records, especially when handling and processing biometric data,” Warner asked Morgan to detail contractual requirements with third parties for security controls and management of biometric data; encryption requirements; and what, if any, identity and access management requirements the agency has in place for contractors.
Warner, who is a former tech executive, also pressed for more information on account segregation and credential requirements, how the agency evaluates data retention policies for third parties, and data loss prevention and vulnerability management mandates.