At a U.S. Homeland Security hearing this week that largely focused on the unsolved mystery of whether it’s illegal to use face recognition software on U.S. citizens at airports, a senior Customs and Border Protection (CBP) official proved unable to answer the most rudimentary questions about a recent data breach that has exposed tens of thousands of images of U.S. travellers and their licence plates.
In lieu of a sending an official with actual knowledge of the CBP’s data security protocols, it sent sent John Wagner, the deputy executive assistant commissioner of the agency’s Office of Field Operations, who, over a period of two hours, was unable to offer a single definitive response to any question posed by lawmakers concerning the incident.
When asked, for example, whether the surveillance company at the centre of the breach, Perceptics, first reported the incident to CBP, or whether it was the other way around, Wagner wasn’t certain: “I believe we asked them about it,” he told the committee, adding: “I need to verify this.”
He seemed strained to recalled simple details, as if the incident occurred in the distant past. “My recollection seems to be that we asked them if any of our data was included in it, and they came back and said yes,” he said.
Perceptics, which has not responded to multiple requests for comment, told the Washington Post on Wednesday it learned of the breach on May 13 and notified the Federal Bureau of Investigation within 24 hours.
In a statement last month, in which CBP insisted none of the image data had been identified online, even though several news outlets had already reported finding it, CBP said it first learned of the breach on “May 31, 2019.”
Emma Best, a journalist whose organisation, Distributed Denial of Secrets, has cataloged the exposed data and made it available for public review, described the breach as one of the largest known involving a government contractor.
It includes, for instance, hundreds of thousands of emails and documents, passwords, schematics, and equipment lists. “It’s virtually all of the company’s data,” she said. (Best has also contributed reporting on WikiLeaks for Gizmodo.)
“It spells out how their surveillance systems and services work, giving more than enough detail to reconstruct it. The cache covers border security and surveillance systems, along with systems for government and private facilities including CBP, the Drug Enforcement Agency, and the Pentagon,” she said.
Yet on Wednesday, Wagner could not tell the House Homeland Security Committee whether the data security procedures of the subcontractor responsible had ever been audited by the government. “I’m not aware of that,” he said. “I don’t know.”
Worse still, he seemed to have little knowledge of CBP’s own data security procedures. He was unsure, for instance, at what point a data breach requires the agency to notify Congress. “We do report it to Congress if it meets a certain threshold,” he said. But when asked what the threshold was, he replied: “I don’t know offhand.”
“I believe it’s a hundred thousand,” he said. A hundred thousand of what - Files? Gigabytes? Victims? - it’s unclear. “I’ll have to get back to you on that,” he said.
At one point, Wagner insisted that Perceptics knew about the breach for some time before reporting it. A “significant” amount of time, he said. But he was fuzzy on the details and is otherwise, demonstrably, an unreliable source of information.
When asked how long the breach went unreported, he told lawmakers, “I have that answer.” But then he added, “Let me look for that, and I’ll come back to you.”
Of course, he never did.
Repeated emails to CBP’s public affairs office on Thursday did not yield a response.