The hearing conducted by the Department of Homeland Security this week that centers on the recent data breach that compromised images of American and foreign travelers from airports’ facial recognition system, proved that there are officials in the position who is incompetent regarding data security and technology in general.
A senior Customs and Border Protection (CBP) official proved unable to answer the most rudimentary questions about a recent data breach and instead of sending a capable expert from their office, the CBP sent John Wagner, the deputy executive assistant commissioner of the agency’s Office of Field Operations, who, according to critics, cannot and did not offer any intelligible answer even to the most rudimentary questions about the issue at hand.
According to other reports, Wagner does not know details of the breach, including those that involved their agency. For example, when asked whether the surveillance company at the center of the breach, Perceptics, first reported the incident to CBP, or whether it was the other way around, the senior official was not sure what to say.
Instead, he said: “I believe we asked them about it […] I need to verify this.”
He even admits that he has problems recalling even the most obvious details about the case. “My recollection seems to be that we asked them if any of our data was included in it, and they came back and said yes,” he said.
Interestingly, Perceptics and CBP seem not to have the same memory of what happened. In an interview with the Washington Post, Perceptics said that they discovered the data breach on May 13th and immediately reported the incident to the Federal Bureau of Investigation within the next 24 hours after their discovery. However, in a statement that the regulatory agency released last month, CBP said that they were only made aware of the data breach on May 31st.
Furthermore, it is also questioned why the CBP insisted in the statement that it released that none of the images included in the said data breach were found online and could not be traced to anybody when journalist and independent investigators have reported seeing the leaked photos online.
Emma Best, a journalist whose organization, Distributed Denial of Secrets, has cataloged the exposed data and made it available for public review, described the breach as one of the largest known involving a government contractor. It includes, for instance, hundreds of thousands of emails and documents, passwords, schematics, and equipment lists. “It’s virtually all of the company’s data,” she said.
“It spells out how their surveillance systems and services work, giving more than enough detail to reconstruct it. The cache covers border security and surveillance systems, along with systems for government and private facilities including CBP, the Drug Enforcement Agency, and the Pentagon,” she said.
To make matters worse, Wagner could also not tell Homeland Security whether their agency is monitoring and auditing their government contractors. When asked, he said: “I’m not aware of that. I don’t know.”
Furthermore, even if the notification procedure is an essential process in handling data breach cases, Wagner wasn’t also sure whether or not they should report to Congress what.
“We do report it to Congress if it meets a certain threshold,” he said. But when asked what the threshold was, he replied: “I don’t know offhand.”
“I believe it’s a hundred thousand,” he said. A hundred thousand of what—Files? Gigabytes? Victims?—it’s unclear. “I’ll have to get back to you on that,” he said.
Worse, instead of taking responsibility for the incident, Wagner is pressing the blame to their contractor saying that they were not informed about the data breach “for a significant amount of time” after Perceptics allegedly discovered the compromise.
When asked how long the breach went unreported, he told lawmakers, “I have that answer.” But then he added, “Let me look for that, and I’ll come back to you.” But he never did.