In June 2019, U.S. Customs and Border Protection (“CBP”) suspended a government contractor, Perceptics, LLC, after it suffered a highly publicized cyberattack that resulted in a breach of sensitive data collected from Government surveillance equipment used along the U.S. border. More details about the cyberattack and the deficiencies that led to the suspension have now emerged. The U.S. Department of Homeland Security (“DHS”) Office of Inspector General (“OIG”) recently released a Report on the cyberattack that targeted Perceptics and the resultant data breach.1 The Report concludes that both Perceptics and CBP were at fault, acknowledging that agencies and contractors alike play a role in protecting sensitive data collected and held by the Government.
The Cyberattack and Perceptics’ Suspension
Perceptics was performing as a subcontractor to Unisys Corporation, which held a prime contract for CBP’s facial recognition technology pilot program, known as the Vehicle Face System. Perceptics installed its facial image capture solution at the Anzalduas, Texas Port of Entry and provided support for associated equipment, allowing CBP to confirm the identities of travelers at the U.S.-Mexico border. The program’s biometric data, like the facial images from the Vehicle Face System pilot program, is considered sensitive personally identifiable information (“SPII”), making the data subject to specific DHS data protection policies.2
While performing maintenance work for the program, Perceptics accessed CBP data, including biometric data such as images of vehicle drivers and passengers, and transferred copies of this data to an unencrypted external device via a USB port, and then later uploaded the data to its own company network. However, at no point was Perceptics authorized to access or download data from the equipment while conducting maintenance work.
On May 13, 2019, Perceptics learned of a potential cyberattack when it received an email threatening to release information if Perceptics did not pay a ransom (known as a ransomware attack), and it notified the Federal Bureau of Investigation (“FBI”) of the email threat the same day. Four days later, Perceptics informed Unisys that it was investigating a potential cyberattack and data breach. On May 24, 2019, CBP learned about the breach from a news article and contacted Unisys for information, at which time Unisys confirmed Perceptics’ investigation into a potential cyberattack and data breach of CBP information.
Upon learning of the data breach, CBP informed DHS and coordinated a DHS Breach Response team to investigate, respond to, and mitigate the effects of the data breach. CBP’s investigation determined that the cyberattack had resulted in a data breach involving approximately 184,000 traveler facial images, as well as other images and contractual documents. CBP’s mitigation efforts included:
- removing from service all equipment involved in the breach;
- canceling the authority for Perceptics employees to access CBP information systems and data; and
- requiring Unisys, as the prime contractor, to terminate its contract with Perceptics.
In June 2019, CBP temporarily suspended Perceptics, making Perceptics ineligible to participate in future Federal Government contracts, subcontracts, grants, loans, and other Federal assistance programs. CBP then lifted the suspension on September 26, 2019, after CBP and Perceptics entered into an Administrative Compliance Agreement (“ACA”) to mitigate the risks that CBP had identified during its investigation. The details of the ACA are not public, but ACAs typically require that a contractor accept responsibility for its conduct and commit to additional ethics, oversight, compliance, and employee training requirements.
Conclusions of the DHS OIG Report
The DHS OIG Report provides information on the three specific security and privacy requirements that Perceptics violated in its conduct as a subcontractor for the Vehicle Face System pilot program:
Violating the Signed Rules of Behavior. Contractor and subcontractor staff with access to DHS computer systems are required to undergo training on security protocols and sign rules of behavior agreements. Although Perceptics’ staff completed the required training, at least one staff member violated the signed rules of behavior by downloading CBP’s SPII and transferring it to Perceptics’ network, making it vulnerable to the cyberattack.
Using an Unencrypted Device to Access SPII. Under DHS requirements for handling SPII, only DHS-approved encrypted portable devices may be used when accessing, storing, or hosting SPII. Perceptics violated this requirement when one of its staff members used an unencrypted device to download CBP’s SPII, which Perceptics was not authorized to handle in the first place.
Failing to Immediately Report the Cybersecurity Incident. Perceptics’ subcontract with Unisys included a special DHS information security clause that requires contractors to report all known or suspected incidents involving sensitive information, such as SPII, within one hour of discovery. Perceptics did not directly inform CBP or DHS of the cyberattack at any point, instead informing the FBI and later, Unisys, the prime contractor. CBP learned of the cyberattack from a news article, which it then confirmed with Unisys.
The DHS OIG Report also found that CBP did not satisfy its own security obligations, thereby creating the situation that led to the data breach:
Failing to Protect SPII Through Secure Technology. DHS agencies are responsible for securing their own technology, and the CBP technology used in the Vehicle Face System pilot program involved an open USB port that allowed Perceptics staff to use an unencrypted device to gain access to the biometric data.
The DHS Report’s overall conclusions focused on the need for CBP to protect against unauthorized access to biometric data, particularly when third parties, such as government contractors, could gain access to such data. The Report recommended that CBP implement additional mitigation and security policies for its port of entry programs that collect sensitive information, to include USB device restrictions, enhanced encryption, and assessments of third-party equipment. CBP agreed with the recommendations and has been implementing them.
What This Means For You
Government contractors should take note of multiple aspects of the Perceptics cybersecurity incident to improve their own cybersecurity and information technology practices. First, providing the minimum required security and privacy training to employees may not be sufficient to guard against an employee-caused violation, and contractors may want to consider additional training or active oversight of employee activities. Despite Perceptics’ employees all having completed the required training, at least one employee violated the security and privacy requirements by using an unencrypted device to transfer CBP data to Perceptics’ network.
Second, contractors should comply with applicable reporting requirements, which may require immediate notification to the contracting agency in the event of a potential cybersecurity incident. Perceptics and Unisys did not immediately inform CBP of the potential cyberattack and data breach, even though they appeared to have promptly commenced an assessment of whether SPII was actually at risk. In many cases it will not be possible to conduct a full investigation into a cyberattack and data breach before reporting it to an agency; instead, it may be necessary to submit a preliminary report while the investigation continues.
Third, the inadequacies of CBP’s own security practices were a significant factor in the breach that may prompt changes going forward. In the wake of the Perceptics incident, agencies across the Federal Government may start taking a critical look at their own security policies and practices, and may impose additional cybersecurity and data privacy requirements on contractors, particularly if a contractor’s scope of work potentially gives it access to sensitive information. Contractors should be prepared for such additional requirements and ensure that they can nimbly respond to any updated compliance requirements.
The DHS OIG report provides insight into how the Government may respond when a contractor suffers a data breach and offers lessons to government contractors. Government contractors should reassess and strengthen their own cybersecurity and data privacy practices and expect agencies to learn from the mistakes of CBP, which may result in stricter requirements on contractors in the future. Government contractors should take proactive steps to ensure they do not become the next government contractor tied to a major cybersecurity event.
1 Office of Inspector General, Department of Homeland Security, OIG-20-71, Review of CBP’s Major Cybersecurity Incident During a 2019 Biometric Pilot (Sept. 21, 2020), https://www.oig.dhs.gov/sites/default/files/assets/2020-09/OIG-20-71-Sep20.pdf.
2 Privacy Office, Department of Homeland Security, Handbook for Safeguarding Sensitive PII, Privacy Policy Directive 047-01-007, Revision 3 (Dec. 4, 2017), https://www.dhs.gov/sites/default/files/publications/dhs%20policy%20directive%20047-01-007%20handbook%20for%20safeguarding%20sensitive%20PII%2012-4-2017.pdf.
