OFFICE OF INSPECTOR GENERAL
Department of Homeland Security
passenger images that CBP captured during the VFS pilot.
20
CBP determined
that more than 184,000 traveler facial image files, as well as 105,000 license
plate images from prior pilot work, were stored on the subcontractor’s network
at the time of the ransomware attack. In addition, the hacker stole an array of
contractual documents, program management documents, emails, system
configurations, schematics, and implementation documentation related to CBP
license plate reader programs.
CBP first learned of the data breach on May 24, 2019, and took prompt action
to notify the Department and mitigate risks from the incident.
21
On June 3,
2019, DHS officially declared the event a “Major Cybersecurity Incident” based
on the potential impact to the Department’s reputation and demonstrable harm
to public confidence.
22
As required by DHS Privacy Incident Handling
Guidance, CBP notified Congress within 7 days
23
and immediately stood up a
DHS Breach Response team.
24
The team coordinated a number of incident
response and mitigation activities between May 24, 2019, and October 8, 2019,
to eliminate the source of the breach, which included:
removing from service all equipment involved in the breach;
canceling Perceptics’ employee access to CBP information systems and
data; and
requiring its prime contractor, Unisys, terminate its contract with
Perceptics.
CBP initiated an investigation of Perceptics in May 2019. As part of the
investigation, CBP learned Perceptics had previously obtained more than
105,000 license plate images from prior pilots. These images were originally
obtained through a CBP-authorized process aimed at improving the License
Plate Reader program. Perceptics used that authorized process to acquire
20
Perceptics received a ransom note via an email from a hacker by the name of “Boris Bullet
Dodger” demanding 20 bitcoin within 72 hours. The ransom note stated that, without the
bitcoin, stolen data would be uploaded to the dark web. Perceptics did not pay the ransom and
the hacker uploaded more than 9,000 unique files to the dark web.
21
CBP officially reported this incident to the Department on May 24, 2019. CBP informed
several DHS offices or individuals including the Chief Information Security Officer, the Office of
the Inspector General, and the Enterprise Security Operations Center.
22
Following the incident, CBP Privacy conducted an assessment of the likelihood of substantial
harm, embarrassment, inconvenience, or unfairness to an individual based on the disclosure of
these images using the Office of Management and Budget breach notification guidance and
determined the information taken was of low risk. DHS’ Acting Chief Privacy Officer provided
this assessment to Congress.
23
CBP notified Congress of the major privacy incident on June 8, 2019.
24
The Breach Response Team included DHS’ Undersecretary for Management, Chief
Information Officer, Chief Information Security Officer, and Chief Security Officer, as well as
representatives from DHS Privacy, Partnership and Engagement, General Counsel, Public
Affairs, Legislative Affairs, and other relevant CBP offices.
www.oig.dhs.gov 8 OIG-20-71