Sen. Mark Warner, D-Va., wants to know more about the security practices U.S. Customs and Border Protection has in place for third-party vendors, three months after a cyberattack on a CBP subcontractor resulted in the theft of tens of thousands of travelers’ biometric data.
In a Sept. 16 letter to acting CBP Commissioner Mark Morgan, Warner asked for answers to eight questions regarding the agency’s access management requirements, encryption standards and security evaluation policies, along with several other practices.
Warner wrote that he was “alarmed” about security breach on a subcontractor reported by CBP June 10 working on the U.S.-Mexico border. CBP found that the subcontractor had illegally transferred a CBP database to their network. The breach exposed facial and license plate photos. Subsequent reporting by the Washington Post suggested that gigabytes of other data was also stolen, like budget spreadsheets and confidential agreements.
CBP said at the time that the breach impacted less than 100,000 people. At a congressional hearing in front of the House Homeland Security Committee July 10, John Wagner, deputy executive assistant commissioner at CBP, testified that subcontractor was working on a pilot program and was not directly connected to the Department of Homeland Security’s network.
Warner stressed in his letter that the breach had significant ramifications.
“While all of the stolen information was sensitive and required protection, facial image data is especially sensitive, since such permanent personal information cannot be replaced like a password or a license plate number,” Warner wrote.
Warner wrote a separate letter to another Sept. 16 to a South Korean biometrics company, Suprema HQ, which experienced a breach in August that exposed biometric information of over one million people worldwide.
“It is absolutely critical that federal agencies and industry improve their track records, especially when handling and processing biometric data," Warner wrote. "Americans deserve to have their sensitive information secured, regardless of whether it is being handled by a first or a third-party.”
Warner asked for a response from CBP in two weeks.