The Canada Border Services Agency launched an investigation after the licence plate reader system it uses was targeted recently in a malicious cyberattack in the U.S.
Earlier this week, news surfaced that photos of travellers and licence plates collected by U.S. Customs and Border Protection were compromised in a privacy breach last month. The CBSA and U.S. Customs and Border Protection use the same plate reader technology.
“We are currently reviewing and assessing what impacts, if any, this breach has on our operations and Canadians,” said CBSA spokesman Nicholas Dorion in an email to CBC.
“While the CBSA awaits the completion of the forensic investigation, our information at this time is that this incident does not pose systems or security vulnerabilities.”
Public Safety Minister Ralph Goodale, whose portfolio includes the border agency, said he’s concerned about the breach.
“(CBSA is) investigating that whole situation from top to bottom. To this point, there have not been serious implications for CBSA’s information, but obviously CBSA is concerned about the quality of the services that are provided to it and they are investigating all the ramifications,” he said.
U.S. Customs and Border Protection said they learned of the data breach, which affected fewer than 100,000 people, at the end of May.
A subcontractor transferred copies of images to its company network without the agency’s authorization, violating U.S. government policy, said the American officials.
Tough laws needed: CCLA
U.S. customs won’t release the name of the subcontractor whose computer network was hacked, but the Washington Post reported that a Microsoft Word document of a U.S. Customs and Border Protection public statement, sent Monday to reporters, included the name “Perceptics” in the title (“CBP Perceptics Public Statement“).
The U.K. computer security website The Register also reported that the hacker responsible alerted it to the breach in late May, identifying the company involved as Perceptics.
And even the CBSA named Perceptics as the subject of the cyber attack, saying the attack took place May 13.
CBSA has issued dozens of contracts to Perceptics for its licence plate reader and radio frequency identification services since 2015, totalling more than $21 million.
The latest contract was awarded in March of this year, according to Public Works and Government Services’ archives.
The company says its licence scanning technology identifies the province or state of origin on at least 95 per cent of vehicles with a rear licence plate, compresses the image and then instantly displays that information to border officers.
“Vehicles with a clear record of lawful trade and travel will go through quickly; vehicles of concern can be detained for proper clearance,” says a Perceptics press release from 2017.
The office of federal privacy commissioner said it’s reaching out to the CBSA for more information.
“It certainly raises concerns about the privacy of Canadian travellers,” said spokesperson Tobi Cohen.
Michael Bryant, executive director of the Canadian Civil Liberties Association, said the Perceptics case raises questions about why private companies are hired to collect Canadians’ information.
“If Canada cannot safeguard our privacy, the agency should lose the power to take it in the first place,” he said.
“The best way to avoid private sector data breaches of sensitive personal data is not to collect and retain such data in the first place. This comes at a time when facial recognition and collection of sensitive information is on the rise in Canada and the breach underscores the need for legislation in Canada, where right now there is none.”
Perceptics bills itself as the sole provider of licence-plate readers “for passenger vehicle primary inspection lanes at all land border ports of entry in the United States, Canada and at the most critical lanes in Mexico.”
The company has not responded to CBC News’ request for comment.