Top Democrat demands answers from CBP on security of biometric data

Top Democrat demands answers from CBP on security of biometric data
© Aaron Schwartz

Sen. Mark WarnerMark Robert WarnerTikTok chief cancels Capitol Hill meetings, inflaming tensions Watchdog report finds FBI not motivated by political bias in Trump probe Ex-Rep. Scott Taylor to seek old Virginia seat MORE (D-Va.) on Monday demanded more information about two recent data breaches of sensitive biometric information, including one that affected U.S. Customs and Border Protection (CBP).

In a letter to acting CBP Commissioner Mark Morgan, the top Democrat on the Senate Intelligence Committee detailed his concerns about a cyberattack on a CBP contractor in June that involved the theft of more than 100,000 images of travelers and the exposure of sensitive data.


“It is absolutely critical that federal agencies and industry improve their track records, especially when handling and processing biometric data,” Warner wrote. “Americans deserve to have their sensitive data secured, regardless of whether it is being handled by a first or a third-party.”

Warner asked for Morgan to answer questions like whether CBP requires contractors and subcontractors to encrypt their databases and how the agency evaluates the information security systems and data retention policies of its contractors.

At the time of the June breach, CBP stressed that the subcontractor involved had transferred the images to its servers without authorization, and that no identifying information was included with the photos.

In a separate letter Monday, Warner requested answers from Suprema HQ about an August cyberattack that resulted in the data breach of a system housing more than 1 million fingerprint records, facial recognition images and employee security clearances.

Suprema biometric data security systems are used by about 5,700 companies in 83 countries, according to Warner, including banks and foreign law enforcement groups.

Warner asked that Suprema CEO James Lee provide him with the names of U.S. businesses that are Suprema clients, along with the cybersecurity standards used by Suprema to secure biometric and other sensitive data.

“Unlike passwords, email addresses and phone numbers, biometric information in voices, fingerprints, and eyes are unique data that are impossible to reset,” Warner wrote. “Biometric data can be used effectively for unauthorized surveillance and access to secure facilities, to steal identities, and is even valuable in developing deepfake technologies.”

Warner gave CBP and Suprema two weeks to respond.

Neither CBP nor Suprema immediately responded to requests for comment on Warner’s letters.

The letters come about two months after the House Homeland Security Committee held a hearing to examine the Department of Homeland Security’s use of facial recognition and other biometric data technologies.

During the hearing, committee Chairman Bennie ThompsonBennie Gordon ThompsonOvernight Defense: Watchdog to audit company's border wall contract | Pentagon to step up vetting of foreign students after Pensacola | Report finds former defense official sexually harassed staffers Senate bill would give DHS cyber agency subpoena powers Pentagon watchdog to audit North Dakota company's border wall contract MORE (D-Miss.) advocated for a greater focus on biometric data before additional use by federal agencies.

“Before the government deploys these technologies further, they must be scrutinized and the American public needs to be given a chance to weigh in,” Thompson said at the time. “Biometrics and facial recognition technology may be a useful homeland security and facilitation tool, but as with any tool it has the potential to be misused — especially if it falls into the wrong hands.”