825 points by pseudolus 2456 days ago | 198 comments on HN
| Moderate positive Editorial · v3.7· 2026-02-28 12:19:42 0
Summary Privacy & Surveillance Advocates
BuzzFeed News investigative article reporting on a US Customs and Border Protection data breach exposing traveler photos and license plates to unauthorized access. The piece directly advocates for privacy rights and government accountability, featuring prominent criticism from ACLU and Congressional leaders calling for investigations and limits on surveillance expansion, demonstrating strong alignment with UDHR provisions on privacy, freedom of expression, and security of person.
> On May 31, 2019, CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network
> CBP ... is closely monitoring all CBP work by the subcontractor
What. In the private sector, they'd have been fired and probably legal action levelled against them. The CBP's punishment for this is 'monitoring'? Please tell me I'm reading this wrong...
The sad truth is Congress is the biggest offender of poor network security practices. Every time they bring in Equifax, DHS, etc to explain why they didn't practice basic IT security due diligence or due care I am reminded of the time smart people were hired to implement basic network security for Congress. Once they realized Joe in IT (who was hired to keep hackers out) can see Congressman Bob has a foot fetish, fish fetish, whatever, Congress told IT to turn everything off.
If only someone could have seen this coming, you know, outside of the thousands of people that saw this coming. This is just one of many reasons why mass surveillance is a terrible.
If CBP is not directly forthcoming with facts relating to the breach (specifically, whose information was unlawfully taken from the CBP production network) how does one seek redress for the harms created by the actions of the contractor?
This is yet another reminder that managing the security of your company's third party contractors is just as important as managing your own company's security. Security is a game of weakest links, and it wouldn't have mattered if CBP's internal security was the best in the world if they were allowing access to a third party that doesn't have good security.
It is naturally very difficult to enforce security mandates on a company that isn't your own, but I feel that this is one of the best ways we can improve security overall in our society: companies need to start requiring that everyone they do business with have a strong, independently certified security program, or else no contract will be signed. This is already done for things like data center contracting, but it should be much more widespread and encompass every type of b2b deal.
This is, of course, a serious breach and there will and should of course be consequences for the negligent parties
but
I am struggling to see the threat model being faced here.
biometric data is just a username. I flash my face around all day, and am careless as to where I leave my thumbprint.
The loss of so many photos and names is unlikely to have national level consequences (Compare this to say the Office Of Personnel management breach from some years back - that has horrible implications for US National security for decades) and the personal level consequences are ... hard to see
What this does underline is that we are outrageously careless as an industry with our data (comparable to early industrial "pollution" as Schneier points out). And it is not going to get better without a) career and business ending consequences b) new ways to store / secure data c) a new way of thinking about who owns and what is personal data
Personally I think we need a new form of intellectual property (just as we are trying to work out what kind of company FAANG are (not telcos, not newspapers, what is a platform?) we need to ask what is personal data
This comment is presumed under law to be my property, my copyright. I might license that property away (dunno never read HN T&Cs) but it is mine. But google and apple and others will track that I sat down at a certain time and place to write it, my ISP will see when I sent to which servers.
All of that data is also created by my conscious actions - should that data not also be my property. And if need be licensed - and compensated for its use?
And when (if) my data is held - then we should presume that it can be accessed by my agents for my benefit (from spending patterns to heart data). I would argue that Sometimes surveillance can be good for us - but only in ways similar to doctors knowing more about me can be good for me - the entire industry of medicine has individual interests at its heart and took a long time to get there.
We are heading in that direction (perhaps) but till we get there, carelessness will be the cheapest option, surveillance always bent agansit is (by state or other actors). We should rail against this stupid dumb breach, but punishing the "bad guys" is not even the first step on the road.
If I can make a bad analogy - It's not one incident that people got sick from one chef badly cooking chicken - it's we need to look at factory farming and meat consumption and healthy eating and marketing bias as a whole.
The only way to prevent hackers from getting access to databases that contain our names, picture, and license plate number - is to never create such a database.
The photos were transferred to a subcontractor’s network and later stolen through a “malicious cyberattack,” a CBP spokesperson told TechCrunch in an email.
Anyone think they approved the security of that subcontractor before giving sensitive information to them?
More importantantly, why is that type of data leaving CBP in the first place?
Don't worry folks, I'm sure this won't hinder the CBP and other related agencies from continuing to roll out systems that capture ever more of our data.
I’ll just keep saying this, and getting dismissed by everyone I know - any data security discussion around a centralized data store that doesn’t begin with the recognition that that data store will be compromised, is a discussion that is just a joke.
Great job, thanks guys. Shouts to NSA and the whole security industrial industrial complex for looking out for us. Glad to see all the research and 0day hoarding paid off. Really appreciate it.
“There should never have been the ability to download a database like this off of government servers.”
Sorry that I don't have a ton of links to support this claim, but "believe me" (as our Commander-in-chief would say) that the US Government would cease to function if it were not for subcontractors (read, private companies) performing tasks on behalf of the government. Personally, I don't agree with this way of our government doing business, but that is the way it is.
When I was in college, I worked for an archeology lab, and our lab was the subcontractor, of the subcontractor, of the contractor that had contracted to provide a service to the USACE (US Army Corps of Engineers). And every way along the way, money was skimmed off of the top. It's just "the American way" of doing business.
People lament regulation all the time. I have a feeling the executives of Ingersoll Rand love it every time a new regulation is put into place.
They've helped themselves to what seems to be limitless legal power as well as a functionally infinite budget... and still this type of incident doesn't surprise us in the least. Everyone just expects them to be one of the least competent actors in the space. And they don't disappoint. Hmmm.
> “CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” said an agency statement.
How long will it take the general public and elected officials to understand that the only authorization that matters for digital data is the actual implementation. Policies, legalese, mandates or any other agreements are meaningless.
If the data can be get at from or transferred to outside of a controlled environment, it will.
Just another reminder that there is no accountability left in America, and you reap what you sow. If you want a society that is accountable, you need to start with a culture that values honor and takes shame seriously. You can’t impose a sense of honor from the outside without building it slowly from within, any more than you can impose respect without earning it.
If you ignore these principles, you make room for people who lack self-worth, and those are the most destructive forces in a society because they have nothing to lose.
anyone ? Why is a 3rd party given the ability to store such a large database to conduct such business ?
They should at most store the last 3 months border documents, nothing older than this.
That would imply that security is irrelevant. Maybe you should re-work your rule the say that it will attempt to be hacked. Therefore you should always worry about security.
Sounds like pretty standard PR legalese to me. I guarantee that the same is going to happen to the subcontractor (after a lengthy investigation, to be sure), but it's bad practice to go throwing around public legal threats, especially for the government which likely has a multi-hundred page contract with these people, and especially at such an early point in any investigations going on.
“In the private sector” covers a lot of ground and I have extreme skepticism about your faith in the process unfolding that way: ask yourself how many breaches you’ve been part of and whether anything more than a press release happened along with waiting for the news to die down. How many customers did Experian lose?
(In the enterprise software world, I can tell you how epic failure to perform on an 8+ figure contract unfolds: the sales guy takes a VP out to the next game so they can discuss it over drinks in the corporate box and nothing will change)
They probably are doing some sort of critical service that can't be immediately stopped. That doesn't mean they will get contracts in the future or won't get legal action taken, but it takes time to review all that with the DOJ and decide how to proceed.
>I am struggling to see the threat model being faced here.
We don't really know the full details of the breach, but if the facial recognition database contained names in a column associated with pictures, that data can absolutely be leveraged and cross-referenced against other "fullz" for fraud that even passes a lot of online verification procedures.
Ha. In the private sector, we discovered a vendor was using an actually health database with real users in it for testing their app. It was all covered up, with no monitoring, because we recently bought that vendor.
Why is it terrible. Sure this has the potential to have negative consequences for the people who's data it was but as far as the government cares it's working fine.
You and a whole bunch of other people making the same extremely basic observation. It would be good if you would suggest some alternative strategies, since 'don't bother keeping that data' isn't a realistic option in this context.
Compliance with NIST SP 800-53 is mandatory per statute and DHS policy. That system has an identified ISSO, ISSM, ISSPM, DAO, and AO who are responsible for authority to operate being given. If the paperwork is in place, a government employee signed off on that network's operation. If not, it doesn't have ATO and there's a government employee (the AO or CIO) responsible for allowing a such a network to be connected to government systems and store government-controlled information.
> Anyone think they approved the security of that subcontractor before giving sensitive information to them?
They almost certainly did, actually. FIPS [1] and FISMA [2] are pretty strict requirement for every company contracting with a government agency. IMO it's one of the rare situations where, at least conceptually, the federal government has done something right in terms of security.
Now whether FIPS/FISMA, and the people enforcing it, actually have any teeth or effectiveness is a different topic entirely.
Isn't monetary liability a form of "outsourced responsibility"? I'm not understanding why damages from lawsuits are not sufficiently motivating the industry to take data breaches seriously. Maybe they just aren't awarding enough damages to change behavior?
Correct me if I'm being overly cynical, but this is an oft-repeated truism that is as useless as "the only winning move is not to play." It's technically the truth, but what are we supposed to do, revert all information systems to non-electronic media? What is the intended takeaway from this statement? If anything, it absolves data security efforts of responsibility by pointing out that there's always a chance of data breach as long as there is data.
That's trivially true, but the proper response to bad security is good security, not shutting down the whole system.
The goal isnt to prevent it in an absolute sense. The goal is to raise the cost to either above the value of the data contained therein or compared to other direct means, like in person espionage or military actions.
Article is primarily focused on privacy violations and strongly advocates for privacy protection against unauthorized government data collection and exposure
FW Ratio: 60%
Observable Facts
ACLU statement in article: 'This breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travelers...the need to put the brakes on these efforts'
Article emphasizes database transferred 'without the federal agency's authorization or knowledge'
Expert states: 'The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place'
Inferences
The article advocates for strong privacy protections by limiting government data collection practices
The breach exemplifies privacy violations and serves as evidence that current safeguards are inadequate
Article is investigative journalism exemplifying freedom of opinion and expression through critical reporting on government surveillance practices and policy advocacy
FW Ratio: 60%
Observable Facts
Article authored by named reporters Davey Alba and Hamed Aleaziz with publication date and timestamp
Article contains original investigation and analysis, directly critiquing CBP practices and surveillance expansion
Related investigations referenced show ongoing critical coverage of facial recognition and surveillance programs
Inferences
The article exemplifies freedom of expression by investigating and publicly critiquing government surveillance expansion
BuzzFeed News' editorial model enables freedom of expression through support for investigative journalism on surveillance and privacy
Article implicitly advocates for human dignity through critique of unauthorized data exposure and privacy violations, establishing case for rights protections
FW Ratio: 50%
Observable Facts
Article reports CBP subcontractor 'transferred copies of license plate images and traveler images...to the subcontractor's company network' without authorization
ACLU statement quoted: 'This incident further underscores the need to put the brakes on these efforts and for Congress to investigate'
Inferences
The unauthorized transfer and breach illustrate the article's implicit argument that human dignity requires protection against arbitrary data exposure
The article frames privacy protection as foundational to maintaining human dignity and inalienable rights
Article opposes government actions and policies that undermine recognized human rights to privacy, security, and freedom of movement
FW Ratio: 67%
Observable Facts
ACLU statement: 'This incident further underscores the need to put the brakes on these efforts' to expand surveillance
Article describes surveillance expansion occurring 'in the absence of proper vetting, regulatory safeguards, and what privacy advocates say is in defiance of the law'
Inferences
The article advocates against government actions that diminish or destroy recognized privacy rights
Article addresses equal treatment of all travelers affected by breach, implicitly affirming equal dignity and rights regardless of citizenship or status
FW Ratio: 50%
Observable Facts
Article states fewer than 100,000 people had information compromised, affecting diverse travelers crossing US borders
Inferences
The coverage of the breach affecting all travelers suggests commitment to equal human dignity principles
Article emphasizes government's duty to community to protect privacy and exercise surveillance responsibility
FW Ratio: 50%
Observable Facts
Article notes CBP violated 'mandatory security and privacy protocols' and states CBP 'takes its privacy and cybersecurity responsibilities very seriously'
Inferences
The article frames privacy protection as a core community duty of government agencies
Use of terms like 'malicious cyber-attack,' 'hacked,' 'stolen,' 'exposed' — though these are factually accurate technical descriptions of the security breach rather than distortions