Lawmakers demand answers on Border Patrol data breach

Lawmakers demand answers on Border Patrol data breach
© UPI Photo

Lawmakers are expressing alarm and demanding answers over a recent data breach involving U.S. Customs and Border Protection (CBP), the latest in a series of incidents that is underlining the severity of cybersecurity threats to both agencies and businesses. 

The CBP incident involved a subcontractor of the agency, who had stored photos from a CBP database, being breached by a malicious actor. The breach resulted in the exposure of images of as many as 100,000 people entering and exiting the U.S. over the period of a month and a half.

CBP, which is not revealing the name of the subcontractor involved, told The Hill on Monday that it is working with Congress and with its own Office of Professional Responsibility to investigate the data breach.

The agency stressed that the subcontractor involved had transferred the photos to its own systems “in violation of CBP policies and without CBP’s authorization or knowledge.” And the agency said that no identifying information was included with the photos.

ADVERTISEMENT

But those assurances did little to assuage lawmakers on Capitol Hill on Tuesday. Lawmakers from both parties expressed dismay over the breach and committees in both the House and Senate with jurisdiction over the agency were considering further actions.

Sen. Gary PetersGary Charles PetersJohn Lewis to miss Martin Luther King Jr. Day event Hillicon Valley: Trump turns up heat on Apple over gunman's phone | Mnuchin says Huawei won't be 'chess piece' in trade talks | Dems seek briefing on Iranian cyber threats | Buttigieg loses cyber chief Democrats sound election security alarm after Russia's Burisma hack MORE (D-Mich.), the ranking member of the Senate Homeland Security and Governmental Affairs Committee, told The Hill that while he is interested in looking into the CBP breach, he wants to make sure he has “all the facts” before moving forward. 

“Right now it’s just about getting a better sense of exactly what happened, how it happened, and then we’ll figure out appropriate steps to take from that point forward,” Peters said. “We never like breaches, they should never happen, but it shows we have to harden our defenses.”

A spokesperson for Sen. Ron JohnsonRonald (Ron) Harold JohnsonHillicon Valley: Barr asks Apple to unlock Pensacola shooter's phone | Tech industry rallies behind Google in Supreme Court fight | Congress struggles to set rules for cyber warfare with Iran | Blog site Boing Boing hacked Congress struggles on rules for cyber warfare with Iran Senators set for briefing on cyber threats from Iran MORE (R-Wis.), the chairman of the Senate Homeland Security Committee, declined to comment. But across the Capitol, lawmakers are looking more closely into the government's collection of data on travelers.

House Homeland Security Committee Chairman Bennie ThompsonBennie Gordon ThompsonHillicon Valley: Trump turns up heat on Apple over gunman's phone | Mnuchin says Huawei won't be 'chess piece' in trade talks | Dems seek briefing on Iranian cyber threats | Buttigieg loses cyber chief House Democrats request briefings on Iranian cyber threats from DHS, FCC Democrats sound election security alarm after Russia's Burisma hack MORE (D-Miss.) announced on Monday that his committee would hold hearings next month to examine the collection of biometric information by the Department of Homeland Security (DHS), which includes CBP.

Thompson also noted that he wants to ensure “we are not expanding the use of biometrics at the expense of the privacy of the American public.”

Homeland Security Committee ranking member Mike RogersMichael (Mike) Dennis RogersHillicon Valley: FBI to now notify state officials of cyber breaches | Pelosi rips 'shameful' Facebook | 5G group beefs up lobby team | Spotify unveils playlists for pets 5G group beefs up lobby team House Homeland Security rip DHS's 'unacceptable' failure to comply with subpoena MORE (R-Ala.), used the breach to criticize DHS’s handling of cybersecurity challenges, saying in a statement to The Hill that “the agency is ill-equipped to handle emerging cyberthreats.”

“The data breach resulted from a contractor acting improperly and against agency policy,” Rogers said. “We need to take steps to ensure this does not happen again.”

Rep. Cedric RichmondCedric Levon RichmondCongress struggles on rules for cyber warfare with Iran Election security, ransomware dominate cyber concerns for 2020 Trump nominates DHS senior cyber director MORE (D-La.), the chairman of the House Homeland Security subcommittee on cybersecurity, also called for more answers about the breach, which he said would inform Congress's next steps.

Richmond told The Hill that “we have to get to the bottom of how, what, and when and make sure we have some cyber competence over there to protect the data.”

But despite the frustration over the latest breach and demands for more information, it is unclear if Congress is any closer to coalescing behind data breach legislation. Efforts to draft an even more comprehensive federal data privacy law in the current Congress have also made little headway.

Sen. Mark WarnerMark Robert WarnerHillicon Valley: Apple, Barr clash over Pensacola shooter's phone | Senate bill would boost Huawei alternatives | DHS orders agencies to fix Microsoft vulnerability | Chrome to phase out tracking cookies Senators offer bill to create alternatives to Huawei in 5G tech Sen. Warner calls on State Department to take measures to protect against cyberattacks MORE (D-Va.), the ranking member on the Senate Intelligence Committee, told The Hill that this incident showed the need for national data breach legislation, which has been a focus of both chambers in recent months.

“In my mind this is one more example of how in America 20 years ago we would have never gone this long without setting the standards, and I think that is really unfortunate,” Warner said.

The Senate Commerce Committee has been heavily involved in the conversation around crafting data security and privacy legislation this Congress. However, when asked what steps he would advocate taking in response to the CBP data breach, committee Chairman Roger WickerRoger Frederick WickerLawmakers introduce bill to bolster artificial intelligence, quantum computing Enes Kanter sees political stardom — after NBA and WWE Hillicon Valley: House panel unveils draft of privacy bill | Senate committee approves bill to sanction Russia | Dems ask HUD to review use of facial recognition | Uber settles sexual harassment charges for .4M MORE (R-Miss.) told reporters “you tell me.”

Sen. Brian SchatzBrian Emanuel SchatzOvernight Energy: Schumer votes against USMCA, citing climate impact | Republicans offer details on their environmental proposals | Microsoft aims to be carbon negative by 2030 Here are the 10 senators who voted against Trump's North American trade deal Schumer votes against USMCA, citing climate implications MORE (D-Hawaii), the ranking member of the Senate Commerce Subcommittee on Communications, Technology, Innovation and the Internet, said he thinks the breach merits an investigation by the Office of the Inspector General.

“Government, especially law enforcement agencies that have personally identifiable information and extremely sensitive information like facial images, have a special obligation for cybersecurity,” Schatz added.

The CBP breach came on the heels of a similar data breach involving a third-party organization that occurred in the health care industry last week. That breach involved the personal information of around 20 million customers of blood testing groups Quest Diagnostics, LabCorp and Opko Health being exposed when an unauthorized user gained access to the systems of billings collection group the American Medical Collection Agency.

Warner was among the senators who wrote to Quest Diagnostics, which had the largest share of the information exposed, last week asking for answers for how the company had secured its data and how it was responding to the breach. Warner gave Quest two weeks to respond.

Warner told The Hill his office has not heard back from the company.