from the hey-it’s-just-other-people’s-data-so-what’s-the-big-deal dept
It’s not just the private sector leaking data at alarming rates! Well, it is still the private sector, but it’s leaking data on behalf of the government! So… somewhat different. But still alarming.
According to this report from Caroline Haskins for Business Insider, an ICE contractor harvesting facial recognition and GPS data on behalf of one of the most despised federal agencies has been caught with its database pants down. (via invaluable resource Databreaches.net)
Trust Stamp, a government contractor that develops facial recognition and surveillance tools for agencies like Immigration and Customs Enforcement, left the personal information of several dozen people unsecured on a breached database, Insider has learned. This information included names, birthdays, home addresses, and driver’s license data.
An anonymous tipster who said they were a security researcher contacted Insider and disclosed the breach. Insider confirmed the authenticity of the data with the people named in the data leak. Trust Stamp then confirmed the security vulnerability and breach to Insider.
LOL. “Trust Stamp.” Nice job there with both the name and the security practices. Trust Stamp says this isn’t really a problem because most of the exposed data was clearly fake and just used for training. But alongside fake people like “Heidi Sample,” real people’s data was exposed, as was verified by both Business Insider and the security researcher who forwarded the tip.
That sort of service is apparently worth $7.2 million in federal tax dollars. It’s one thing to have a poorly secured testing environment. It’s quite another to have a poorly secured testing environment that apparently includes real-world data for reasons that have gone completely unexplained by Trust Stamp.
Another question that has gone unanswered by Trust Stamp is where this real-world data came from. The company was hired to assist ICE in monitoring immigrants processed at border crossings. But the real-world data exposed (and verified by BI and researchers) did not come from the expected source of Trust Stamp data.
None of the several dozen people whose names were included in the data leak were migrants who had been processed at the US southern border. Of the people Insider was able to reach by phone, none were familiar with Trust Stamp or any of its services.
So, where did this data come from? Did Trust Stamp just upload information it had gathered via other customers (an SEC filing lists a potential “39 commercial opportunities”) into its dummy testing database, neglecting to inform ICE that the test environment contained plenty of real-world data? And if it was using actual US persons’ info to pad its test database, why didn’t it do more to ensure the test environment was sufficiently safeguarded against leaks/breaches?
We still have no answers. Trust Stamp only says it is aware of the problem and has rectified it. It has yet to explain where this data originated and why it was included in the demo environment it crafted for ICE. Maybe Congress might want to start asking a few questions about this breach and pass along the same set of questions to other private contractors who may be playing fast and loose with personal data they’ve collected.
Filed Under: data breach, facial recognition, ice, security
Companies: trust stamp
Source : https://www.techdirt.com/2022/05/27/ice-facial-recognition-contractor-leaks-a-whole-bunch-of-personal-data/