400GB of hacked files from US border surveillance contractor are available for anyone to download

Graham Cluley

Cbp 730

Cbp 730

You don’t have to be hacked to lose control of your sensitive data.

That truth was brought home again this month when it was revealed that information gathered by the United States Customs and Border Protection (CBP), the largest federal law enforcement agency at the Department of Homeland Security, had leaked onto the internet.

And how had the data leaked? The CBP wasn’t hacked. Instead, a subcontracting company working for the CBP had copied onto its own network the digital photos of “fewer than 100,000” travellers and license plates as they made their way through a land border crossing onto its own network.

The copying of the data, which was done without the knowledge or authorisation or the CBP, would normally be bad enough. But what made things worse is that the subcontracting company, Perceptics, was then hacked.

The result? Not only were the photographs now in the hands of hackers but, as Gizmodo reports, more than 400 GB of other data stolen from Perceptics’ network – including databases, spreadsheets, HR records, business plans, financial figures, as well as personal information.

The stolen data has been distributed via torrent sites, and is now available for anyone to download from the web if they know where to look.

Perceptics file dump

It’s clear that whoever hacked Perceptics weren’t picky about what they took, as there were even MP3 music files scooped up from workers’ desktops, including “Superstition” by Stevie Wonder, “Wannabe” by the Spice Girls, and a variety of AC/DC and Cat Stevens songs.

The CBP hasn’t confirmed or denied that Perceptics was the hacked subcontractor, but it did say “the subcontractor violated mandatory security and privacy protocols outlined in their contract.”

“We’re making these files available for public review because they provide an unprecedented and intimate look at the mass surveillance of legal travel, as well as more local surveillance of turnpike and secure facilities,” said journalist Emma Best, one of the team which has chosen to share the vast amount of breached data online. “Most importantly they provide a glimpse of how the government and these companies protect our information—or, in some cases, how they fail to.”

Lesson? Your organisation may take security and privacy seriously, but if you have subcontractors and partners who are more lax about how they protect their network then it might be your data that ends up for anyone to read on the internet.

To hear more about this case, be sure to check out the episode of “Smashing Security” podcast we released earlier this month:

Smashing Security #132: 'CBP cyber attack, an iPhone privacy boost, and Twitter list abuse'

Listen on Apple Podcasts | Google Podcasts | Other... | RSS
More episodes...

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

3 Replies to “400GB of hacked files from US border surveillance contractor are available for anyone to download”

  1. “Superstition” by Stevie Wonder, “Wannabe” by the Spice Girls, pretty "eclectic" taste… as always, good article.

    1. :)

      I'm guessing they were from different employees' PCs. Stevie Wonder and Cat Stevens I can appreciate. Not so sure about the others in that list…

  2. More reason to use a travel phone when crossing the border, in case they "take it to the back room".

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.




Stay informed!

Join thousands of others by signing-up for the free “GCHQ” newsletter, containing the latest news and tips from security expert Graham Cluley.

Name:

Email:

Yes, I would like to subscribe to email updates from Graham Cluley. I know it’s easy to unsubscribe if I ever change my mind.