Privacy commissioner launches investigation into licence plate breach

The privacy commissioner has launched an investigation into the Canada Border Services Agency after the licence plate reader system it uses was targeted in a malicious cyberattack in the U.S.

Earlier this summer, news surfaced that photos of travellers and licence plates collected by U.S. Customs and Border Protection through the Percepticssystem were compromised in a privacy breach last month.

The CBSA and U.S. Customs and Border Protection use the same plate reader technology.

"Our office has continued to engage with CBSA and has initiated an investigation into the breach with respect to CBSA records," said Vito Pilieci, spokesperson for the Office of the Privacy Commissioner, in an email to CBC News this week.

"Due to confidentiality provisions in the Privacy Act, I cannot provide any further details at this time."

The CBSA is conducting its ownreviewto learn if Canadians' information wasswept up in the breach.

"The Canada Border Services Agency has received an investigation notice from the Office of the Privacy Commissioner related to the Perceptics cyber attack and we are committed to working with them throughout their investigation," said spokesperson Rebecca Purdy in an email.

U.S. Customs and Border Protection said they learned of the data breach, which affected fewer than 100,000 people, in May, but saidnone of the files had been posted to the darker corners of the internet.

However, someone using the pseudonym "Boris Bullet-Dodger" contacted the tech website The Register to share a link to the hacked files on the dark web.

The Register shared that link with CBC News.

The massive trove of files includes internal Perceptics data such as payroll information, travel receipts, non-disclosure agreements and customs declarations. It also contains informationon Perceptics's competitors and even several music playlists.

U.S. officials said the company transferred copies of images to its company network without the agency's authorization, violating U.S. government policy.

The CBSA already has said Public Services and Procurement Canada reviewed Perceptics's Canadian contract and told the agency the vendor complied with all the terms.

Since 2015, the government has issued dozens of contracts to Perceptics for its licence plate reader and radio frequency identification services, totalling more than $21 million.

The CBSA still uses Perceptics's plate-reader technology.

"Our information confirms that use of this equipment does not pose systems or security vulnerabilities to the CBSA," said Purdy.