Top Democrat demands answers from CBP on security of biometric data

Top Democrat demands answers from CBP on security of biometric data
© Aaron Schwartz

Sen. Mark WarnerMark Robert WarnerHillicon Valley: YouTube to restore Trump's account | House-passed election bill takes aim at foreign interference | Senators introduce legislation to create international tech partnerships On The Money: Senate votes to take up COVID-19 relief bill | Stocks sink after Powell fails to appease jittery traders | February jobs report to provide first measure of Biden economy Senators introduce bill creating technology partnerships to compete with China MORE (D-Va.) on Monday demanded more information about two recent data breaches of sensitive biometric information, including one that affected U.S. Customs and Border Protection (CBP).

In a letter to acting CBP Commissioner Mark Morgan, the top Democrat on the Senate Intelligence Committee detailed his concerns about a cyberattack on a CBP contractor in June that involved the theft of more than 100,000 images of travelers and the exposure of sensitive data.


“It is absolutely critical that federal agencies and industry improve their track records, especially when handling and processing biometric data,” Warner wrote. “Americans deserve to have their sensitive data secured, regardless of whether it is being handled by a first or a third-party.”

Warner asked for Morgan to answer questions like whether CBP requires contractors and subcontractors to encrypt their databases and how the agency evaluates the information security systems and data retention policies of its contractors.

At the time of the June breach, CBP stressed that the subcontractor involved had transferred the images to its servers without authorization, and that no identifying information was included with the photos.

In a separate letter Monday, Warner requested answers from Suprema HQ about an August cyberattack that resulted in the data breach of a system housing more than 1 million fingerprint records, facial recognition images and employee security clearances.

Suprema biometric data security systems are used by about 5,700 companies in 83 countries, according to Warner, including banks and foreign law enforcement groups.

Warner asked that Suprema CEO James Lee provide him with the names of U.S. businesses that are Suprema clients, along with the cybersecurity standards used by Suprema to secure biometric and other sensitive data.

“Unlike passwords, email addresses and phone numbers, biometric information in voices, fingerprints, and eyes are unique data that are impossible to reset,” Warner wrote. “Biometric data can be used effectively for unauthorized surveillance and access to secure facilities, to steal identities, and is even valuable in developing deepfake technologies.”

Warner gave CBP and Suprema two weeks to respond.

Neither CBP nor Suprema immediately responded to requests for comment on Warner’s letters.

The letters come about two months after the House Homeland Security Committee held a hearing to examine the Department of Homeland Security’s use of facial recognition and other biometric data technologies.

During the hearing, committee Chairman Bennie ThompsonBennie Gordon ThompsonThe Hill's 12:30 Report - Presented by ExxonMobil - Increased security on Capitol Hill amid QAnon's March 4 date House passes voting rights and elections reform bill Lawmakers line up behind potential cyber breach notification legislation MORE (D-Miss.) advocated for a greater focus on biometric data before additional use by federal agencies.

“Before the government deploys these technologies further, they must be scrutinized and the American public needs to be given a chance to weigh in,” Thompson said at the time. “Biometrics and facial recognition technology may be a useful homeland security and facilitation tool, but as with any tool it has the potential to be misused — especially if it falls into the wrong hands.”