ICE Contractor Trust Stamp exposes dozens of data in demo app

  • Trust Stamp, which has a $7.2 million contract with ICE to track migrants, exposed dozens of people’s data in a data breach, Insider has learned.
  • Credentials for potential customers to test Trust Stamp have been released publicly, leaving names and driver’s license data open.
  • The vulnerability, which has been resolved, does not appear to expose migrant data.

Trust Stamp, a government contractor that develops facial recognition and surveillance tools for agencies such as immigration and customs, left the personal information of dozens of people unsecured on a hacked database, said learned Insider. This information included names, birthdays, home addresses and driver’s license data.

An anonymous tipster who claimed to be a security researcher contacted Insider and disclosed the breach. Insider confirmed the authenticity of the data with those named in the data leak. Trust Stamp later confirmed the security flaw and breach to Insider.

In an email to Insider, Trust Stamp CEO Gareth Genner said the exposed database was intended for potential customers to test his product, and that most of the entries were “clearly made-up data”, such as than “Heidi Sample” or “Test Alaska”. The majority of the hundreds of user entries exposed in the breach were indeed for fake users as part of a so-called demo app, the security researcher found, but several dozen entries were real. people. Insider has independently verified these people’s information as accurate.

The breach comes shortly after Trust Stamp won a lucrative $7.2 million annual contract with ICE to monitor migrants being processed at the southern border, using facial recognition and passive GPS tracking, as Insider reports. previously reported. The company also has partnerships with MasterCard and a major US bank to process identity verification, according to an SEC filing from the beginning of this year.

Genner said that until Insider contacted the company, it “was not aware of any suggestion of unauthorized data access anywhere in our systems” but “took all available steps to protect the referenced database”.

“We have notified the National Cyber ​​Investigative Joint Task Force of the information provided and we will of course cooperate with them and other agencies in the investigation,” Genner said, adding, “We take the security data very seriously and we are always looking for ways to improve our policies and practices.

Cooper Quintin, security researcher and senior technologist at the Electronic Frontier Foundation, told Insider he was “very concerned” about the breach.

“If this was possible in the demo app, my biggest concern here is that they seem to have data on a lot of people and they’re not even taking basic steps to secure that data,” Quintin said. . “They are clearly not taking any of their security responsibilities.”

“They don’t strike me as a company to be trusted. [immigration] data,” the anonymous security researcher told Insider.

None of the several dozen people whose names were included in the data leak were migrants who had been processed at the US southern border. None of the people Insider was able to reach by phone were familiar with Trust Stamp or any of its services.

Genner, the CEO of Trust Stamp, confirmed to Insider that some of the user entries exposed in the breach “appear to represent ‘real people’.” It’s likely these people used a service from a company that plans to work with Trust Stamp, and that company used their data when testing the Trust Stamp demo app, Genner said. He said Trust Stamp gave credentials to potential customers, but declined to name them.

The security researcher who uncovered the breach said Trust Stamp publicly released credentials that can be used to access the demo app’s restricted application interface, or API. Accessing this API could reveal personal information — including names, addresses, dates of birth, and driver’s license issue and expiration dates — of people used in this demo app, they said.

Genner said Trust Stamp removed “all credentials” to the API after Insider contacted the company, adding that the company would reissue them with a new policy that it will automatically delete test data after 90 days.

“If ‘real’ test data was uploaded and not deleted, that is contrary to the intended use of the test tool,” Genner said.

In a recent SEC filingthe company said it had “39 business opportunities” with potential customers as of March 31, 2022. In addition to its contracts with ICE and MasterCard, the company has a handful of smaller contracts with other companies. Trust Stamp also said it had “opened dialogues” with “several foreign government agencies” over the sale of its facial recognition and biometric technology.

Genner told Insider that any data breaches from the enrollment demo “would have no relevance to our government services products” because the enrollment demo is not a test for government customers.

Do you have any advice? Contact this reporter by email at [email protected] or [email protected], or via the Signal secure messaging app at +1 (785) 813-1084. Check out the Insider source guide for suggestions on how to share information safely.

About Donald J. Beadle

Check Also

Gallagher announces opening of Congressional App Challenge 2022

GREEN BAY, Wis. – Rep. Mike Gallagher (R-WI) today announced that the Congressional App Challenge …