US Customs and Border Patrol Falls Short in Data Protection

A July 15 report by the Department of Homeland Security’s Inspector General reveals inadequate cybersecurity measures taken by the U.S. Customs and Border Protection (CBP) officials.

The report assessed the period between July 2017 and December 2019, and found that the personal data of over 10 million U.S. and Canadian travelers using the Mobile Passport Control(MPC) app was left unprotected. CBP, according to the report, did not implement proper security or privacy audits, nor implement sufficient cybersecurity settings.

The Inspector General recommended CBP update its policies and procedures to: submit to a privacy evaluation review, scan all app updates prior to release for vulnerabilities, create a process for scheduled security and compliance reviews, store review documentation in a central location, require developers to comply with security and privacy assessments, create an access log review process; and to implement the Defense Information Systems Agency Security Technical Implementation Guide control categories for MPC servers.

CBP has 30 days to comply with the Inspector General’s recommendations.

The DHS’s cybersecurity division, which is under new leadership as of last week, has taken several steps to secure the United States’ infrastructure–from new pipeline regulations, to new ransomware guidance, to hiring nearly 300 cybersecurity professionals to help the nation combat a rise in crippling ransomware and cybersecurity attacks.

ADCG members should closely monitor the federal government’s hard stance on cybersecurity and data privacy, as the precedents being set now will likely help shape future federal cybersecurity and data privacy legislation for infrastructure companies like banks and financial organizations.