Perceptics, the firm that bills itself as “the sole provider of stationary LPRs” (license plate readers) at border crossing lanes for privately owned vehicles in the U.S., has been hacked. Tens of thousands of its internal files are now reportedly floating around the dark web for anyone to download.
According to several cyber-security research consultants, the hack was carried out by a person of group using the alias “Boris Bullet-Dodger.”
It’s believed Boris also hacked a vendor by the name of CityComp last month, leaking customer data after the firm opted not to pay a ransom. Perceptics has confirmed the breach, but it’s unclear if Perceptics’s now-public data was also the result of a failed ransom.
In total, the exfiltrated data contained around 65,000 “file names and accompanying directories,” according to the security researchers. Beyond internal documentation and financial information, some of the filetypes suggested the contents included location data, as well as images which could be license plate scans themselves.
Whether these are scans made by actual clients, government or otherwise, is unknown. Casey Self, Perceptics’s director of marketing, declined to answer specific questions, responding to an email from Gizmodo by writing, “All I can say is that the investigation is ongoing.”
Among those clients are U.S. Customs and Border Protection and the DEA. While license plate captures might seem relatively benign, when cross-referenced against other databases, they can be used to track the movements of individuals with alarming specificity.
And while LPRs are deployed at seemingly natural security checkpoints—like borders—they’ve also seen use in domestic surveillance, such as in California’s Sacramento County, where officials tracked the movements of welfare recipients. In 2013, the ACLU called this tech “a tool for mass routine location tracking and surveillance.”
The Electronic Frontier Foundation has also condemned blanket spying programs using LPRs, such as in 2014, when the Los Angeles Police Department tried to argue that “All [license plate] data is investigatory.”
On a lighter note – in addition to a trove of potentially sensitive data, a number of music files were included in the data dump: Among the songs: Superstition, by Stevie Wonder, and Wannabe by Spice Girls, and a variety of AC/DC and Cat Stevens songs.