U.S. Customs and Border Protection Failed to Adequately Secure and Protect Traveler Data
This week, the Department of Homeland Security’s inspector general said in an oversight report that U.S. Customs and Border Protection (CBP) officials have failed to use adequate cybersecurity measures and safeguards to protect travelers’ data. The report says that from July 2017 to December 2019, personal data was left vulnerable to hackers in the Mobile Passport Control (MPC) app used by over 10 million U.S. and Canadian citizens. Specifically, the agency did not conduct security and privacy reviews/assessments, nor implement protective hardware/ software settings.
The report surmises, “Unless CBP addresses these cybersecurity vulnerabilities, MPC apps and servers will remain vulnerable, placing travelers’ [personal information] at risk of exploitation.”
The Office of the Inspector General made the following eight recommendations, which the CBP agreed to implement:
1: Update policies and procedures to ensure CBP scans all app update versions and that they are scanned prior to release by developers.
2: Update policies and procedures to codify scan processes and define the roles and responsibilities necessary to ensure scans are complete as required, and review those scan results for vulnerabilities.
3: Update the policies and procedures to include processes to conduct required security and privacy compliance reviews on a specific schedule and timeframe, track reviews completed, and centrally store review documentation.
4: Receive all necessary information from developers to complete an adequate privacy and security assessment.
5: Develop a capability to review access logs, define the periodic review time frame, and perform the required reviews according to the defined time frame.
6: Complete the required privacy evaluation review.
7: Update the policies and procedures to include a process to conduct internal audits and perform the required audits.
8: Adhere to DHS policy and fully implement the Defense Information Systems Agency Security Technical Implementation Guide control categories for the servers supporting the MPC program, request waivers as appropriate, or fully document any exception obtained when deviating from policy requirements.
View the full report here.