Biometric data collected as part of a facial recognition pilot program for Customs and Border Protection ended up on a hidden part of the internet that is used for selling and buying illicit data and contraband because the agency failed to use an encrypted device to safeguard the data, the Department of Homeland Security’s Office of Inspector General says in a new report.

The traveler images were downloaded by a CBP subcontractor in 2018 and 2019 without the agency’s knowledge for use in improving the company’s facial recognition technology, the IG says. But a malicious cyber attack against Perceptics’ computer network resulted in the theft of 100,000 individual images, 19 of which were discovered to have been posted on the Dark Web.

The IG’s report says that DHS subcontractors are required to protect personally identifiable information (PII) from identity theft, compromise or misuse and that department staff and contractors are required to undertake routine training to protect personal information.

“However, in this case, Perceptics staff directly violated DHS security and privacy protocols when they downloaded CBP’s sensitive PII from an unencrypted device and stored it on their own network,” the report charges. “Given Perceptics’ ability to take possession of CBP-owned sensitive data, CBP’s information security practices during the pilot were inadequate to prevent the subcontractor’s actions.”

The pilot evaluation was aimed at capturing photos of occupants inside vehicles traveling at 20 mph as they entered and left the U.S. at a land port of entry in Texas. The images were be used to see if they could be matched against photos of travelers contained in a CBP database as part of the agency’s ongoing Biometric Entry-Exit program, which is currently heavily focused on international flights at U.S. airports.

Unisys Corp. [UIS] was hired by CBP to design and install the facial recognition pilot at the Anzalduas, Texas port of entry. Unisys hired Perceptics to install its facial image capture solution.

In addition to the facial image files, hackers also stole 105,000 license plate images that Perceptics had stored on its network for longer than permitted as part of prior license plate reader evaluations the company had done for CBP. The IG also says that other stolen data included contractual documents, program management documents, emails, system configurations, schematics, and documentation related to the license plate reader program.

Perceptics was suspended from government contract in June 2019 and the suspension was lifted that September. At the time of the IG review, the company was no longer working with CBP, the report says.

CBP agreed with all of the IG’s recommendations, which include implementing enhanced encryption and USB device restrictions, better coordination within the agency for security controls, and development of a plan for the Biometric Entry-Exit program to “routinely assess third party equipment supporting biometric data collection to ensure partners’ compliance with department security and privacy standards.”

The IG did take issue with the plan, which it says doesn’t appear to support the entry-exit program specifically.