• Trust Stamp, which has a $7.2 million contract with ICE for tracking migrants, has exposed dozens of people's data in a data breach, Insider has learned.
  • Credentials meant for prospective clients to test Trust Stamp were posted publicly, leaving names and driver's license data open.
  • The vulnerability, which has been resolved, did not appear to expose any migrant data. 

Trust Stamp, a government contractor that develops facial recognition and surveillance tools for agencies like Immigration and Customs Enforcement, left the personal information of several dozen people unsecured on a breached database, Insider has learned. This information included names, birthdays, home addresses, and driver's license data.

An anonymous tipster who said they were a security researcher contacted Insider and disclosed the breach. Insider confirmed the authenticity of the data with the people named in the data leak. Trust Stamp then confirmed the security vulnerability and breach to Insider. 

In an email to Insider, Trust Stamp's CEO, Gareth Genner, said that the exposed database was for prospective customers to test its product, and that most entries were "clearly invented data," such as "Heidi Sample" or "Test Alaska." A majority of the several-hundred user entries exposed in the breach were indeed for fake users as part of a so-called demo app, the security researcher found, but several dozen entries were of real people. Insider independently authenticated these people's information as accurate. 

This breach comes shortly after Trust Stamp won a lucrative $7.2 million annual contract with ICE to monitor migrants processed at the southern border, using facial recognition and passive GPS tracking, as Insider previously reported. The company also has partnerships with MasterCard and a major US bank to process identity verification, according to an SEC filing from earlier this year.

Genner said that until Insider contacted the company, it "had not been aware of any suggestion of unauthorized data access anywhere in our systems" but "have taken all available steps to safeguard the referenced database."

"We have notified the National Cyber Investigative Joint Task Force as to the information provided and will of course cooperate with them and other agencies in the investigation," Genner said, adding: "We take data security very seriously and we are always looking for ways to improve our policies and practices."

Cooper Quintin, a security researcher and senior staff technologist for the Electronic Frontier Foundation, told Insider that he's "very concerned" about the breach.  

"If that was possible in the demo app, my biggest concern here is they seem to have data on a lot of people and they are not even taking the basic steps to secure that data," Quintin said. "They clearly are not taking any of their security responsibilities seriously."

"They don't strike me as a company that should be trusted with [immigration] data," the anonymous security researcher told Insider.

None of the several dozen people whose names were included in the data leak were migrants who had been processed at the US southern border. Of the people Insider was able to reach by phone, none were familiar with Trust Stamp or any of its services.

Genner, the Trust Stamp CEO, confirmed to Insider that some of the user entries exposed in the breach "appear to represent 'real people.'" It's likely these people had used a service from a company that is considering working with Trust Stamp, and that company used their data while testing Trust Stamp's demo app, Genner said. He said Trust Stamp grants credentials to prospective clients, but declined to name them.

The security researcher who discovered the breach said that Trust Stamp had publicly posted credentials that could be used to access the demo app's restricted application interface, or API. Access to this API could reveal the personal information — including names, addresses, dates of birth, and the issue and expiration dates of driver's licenses — of people used in this demo app, they said.

Genner said Trust Stamp withdrew "all credentials" to the API after Insider contacted the company, adding that the company will reissue them with a new policy that it will auto-delete test data after 90-days.

"If 'real' testing data was uploaded and not deleted that is contrary to the intended use of the testing tool," Genner said.

In a recent SEC filing, the company said it had "39 commercial opportunities" with potential customers as of March 31, 2022. In addition to its contracts with ICE and MasterCard, the company has a handful of smaller contracts with other companies. Trust Stamp also said that it has "opened dialogs" with "several overseas governments bodies" about selling its facial recognition and biometric technology.

Genner told Insider that any breach of Enrollment Demo data "would have no relevance to our government services products" because the Enrollment Demo isn't a test for government clients.

Got a tip? Contact this reporter via email at [email protected] or [email protected], or through secure messaging app Signal at +1 (785) 813-1084. Check out Insider's source guide for suggestions on how to share information securely.

Read the original article on Business Insider