At a U.S. Homeland Security hearing this week that largely focused on the a recent data breach that has exposed tens of thousands of images of U.S. travellers and their licence plates.
In lieu of a sending an official with actual knowledge of the CBPâ€™s data security protocols, it sent sent John Wagner, the deputy executive assistant commissioner of the agencyâ€™s Office of Field Operations, who, over a period of two hours, was unable to offer a single definitive response to any question posed by lawmakers concerning the incident.
When asked, for example, whether the surveillance company at the centre of the breach, Perceptics, first reported the incident to CBP, or whether it was the other way around, Wagner wasnâ€™t certain: â€œI believe we asked them about it,â€ he told the committee, adding: â€œI need to verify this.â€
He seemed strained to recalled simple details, as if the incident occurred in the distant past. â€œMy recollection seems to be that we asked them if any of our data was included in it, and they came back and said yes,â€ he said.
Perceptics, which has not responded to multiple requests for comment, told the Washington Post on Wednesday it learned of the breach on May 13 and notified the Federal Bureau of Investigation within 24 hours.
In a statement last month, in which CBP insisted none of the image data had been identified online, even though several news outlets had already reported finding it, CBP said it first learned of the breach on â€œMay 31, 2019.â€
Emma Best, a journalist whose organisation, Distributed Denial of Secrets, has cataloged the exposed data and made it available for public review, described the breach as one of the largest known involving a government contractor.
It includes, for instance, hundreds of thousands of emails and documents, passwords, schematics, and equipment lists. â€œItâ€™s virtually all of the companyâ€™s data,â€ she said. (Best has also contributed reporting on WikiLeaks for Gizmodo.)
â€œIt spells out how their surveillance systems and services work, giving more than enough detail to reconstruct it. The cache covers border security and surveillance systems, along with systems for government and private facilities including CBP, the Drug Enforcement Agency, and the Pentagon,â€ she said.
Yet on Wednesday, Wagner could not tell the House Homeland Security Committee whether the data security procedures of the subcontractor responsible had ever been audited by the government. â€œIâ€™m not aware of that,â€ he said. â€œI donâ€™t know.â€
Worse still, he seemed to have little knowledge of CBPâ€™s own data security procedures. He was unsure, for instance, at what point a data breach requires the agency to notify Congress. â€œWe do report it to Congress if it meets a certain threshold,â€ he said. But when asked what the threshold was, he replied: â€œI donâ€™t know offhand.â€
â€œI believe itâ€™s a hundred thousand,â€ he said. A hundred thousand of what – Files? Gigabytes? Victims? – itâ€™s unclear. â€œIâ€™ll have to get back to you on that,â€ he said.
At one point, Wagner insisted that Perceptics knew about the breach for some time before reporting it. A â€œsignificantâ€ amount of time, he said. But he was fuzzy on the details and is otherwise, demonstrably, an unreliable source of information.
When asked how long the breach went unreported, he told lawmakers, â€œI have that answer.â€ But then he added, â€œLet me look for that, and Iâ€™ll come back to you.â€
Of course, he never did.
Repeated emails to CBPâ€™s public affairs office on Thursday did not yield a response.