Politics

Privacy commissioner launches investigation into licence plate breach

The privacy commissioner has launched an investigation into the Canada Border Services Agency after the licence plate reader system it uses was targeted in a malicious cyberattack in the U.S.

Photos of travellers and licence plates collected by U.S. Customs and Border Protection were compromised

In this file photo, traffic travelling from Niagara Falls, Ontario, Canada, lines up on the Rainbow Bridge to enter the United States through a border checkpoint at Niagara Falls, N.Y. U.S. Customs and Border Protection officials said photos of travellers had been hacked as part of a “malicious cyberattack." (Don Heupel/Associated Press)

The privacy commissioner has launched an investigation into the Canada Border Services Agency after the licence plate reader system it uses was targeted in a malicious cyberattack in the U.S.

Earlier this summer, news surfaced that photos of travellers and licence plates collected by U.S. Customs and Border Protection through the Perceptics system were compromised in a privacy breach last month.

The CBSA and U.S. Customs and Border Protection use the same plate reader technology.

"Our office has continued to engage with CBSA and has initiated an investigation into the breach with respect to CBSA records," said Vito Pilieci, spokesperson for the Office of the Privacy Commissioner, in an email to CBC News this week.

"Due to confidentiality provisions in the Privacy Act, I cannot provide any further details at this time."

The CBSA is conducting its own review to learn if Canadians' information was swept up in the breach.

"The Canada Border Services Agency has received an investigation notice from the Office of the Privacy Commissioner related to the Perceptics cyber attack and we are committed to working with them throughout their investigation," said spokesperson Rebecca Purdy in an email.

U.S. Customs and Border Protection said they learned of the data breach, which affected fewer than 100,000 people, in May, but said none of the files had been posted to the darker corners of the internet.

However, someone using the pseudonym "Boris Bullet-Dodger" contacted the tech website The Register to share a link to the hacked files on the dark web.

The Register shared that link with CBC News. 

The massive trove of files includes internal Perceptics data such as payroll information, travel receipts, non-disclosure agreements and customs declarations. It also contains information on Perceptics's competitors and even several music playlists.

U.S. officials said the company transferred copies of images to its company network without the agency's authorization, violating U.S. government policy.

The CBSA already has said Public Services and Procurement Canada reviewed Perceptics's Canadian contract and told the agency the vendor complied with all the terms.

Since 2015, the government has issued dozens of contracts to Perceptics for its licence plate reader and radio frequency identification services, totalling more than $21 million.

The CBSA still uses Perceptics's plate-reader technology.

"Our information confirms that use of this equipment does not pose systems or security vulnerabilities to the CBSA," said Purdy. 

with files from the CBC's Sylvène Gilchrist

Add some “good” to your morning and evening.

A variety of newsletters you'll love, delivered straight to you.

...

Thank you for subscribing to CBC Newsletters. Discover more CBC Newsletters.

Happy reading!

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.