
US Customs Database Of Traveler Photos Was Hacked And Stolen - pseudolus
https://www.buzzfeednews.com/article/daveyalba/the-us-governments-database-of-traveler-photos-has-been
======
axaxs
> On May 31, 2019, CBP learned that a subcontractor, in violation of CBP
> policies and without CBP’s authorization or knowledge, had transferred
> copies of license plate images and traveler images collected by CBP to the
> subcontractor’s company network

> CBP ... is closely monitoring all CBP work by the subcontractor

What. In the private sector, they'd have been fired and probably legal action
levelled against them. The CBP's punishment for this is 'monitoring'? Please
tell me I'm reading this wrong...

~~~
acdha
“In the private sector” covers a lot of ground and I have extreme skepticism
about your faith in the process unfolding that way: ask yourself how many
breaches you’ve been part of and whether anything more than a press release
happened along with waiting for the news to die down. How many customers did
Experian lose?

(In the enterprise software world, I can tell you how epic failure to perform
on an 8+ figure contract unfolds: the sales guy takes a VP out to the next
game so they can discuss it over drinks in the corporate box and nothing will
change)

~~~
all_blue_chucks
> How many customers did Experian lose?

Experian didn't lose any customer data, though. They only lost data on their
products. Their actual customers had no reason to stop paying for their
services.

~~~
paul7986
It was Equifax not Experian.

~~~
joe_the_user
It think it's telling that, in this instance, it really doesn't matter. It
could have been Experian, with the wave of a butterfly's wings in Himalayas,
it was Experian and nothing changes in that alternative universe.

------
cjhanks
The only way to prevent hackers from getting access to databases that contain
our names, picture, and license plate number - is to never create such a
database.

~~~
EForEndeavour
Correct me if I'm being overly cynical, but this is an oft-repeated truism
that is as useless as "the only winning move is not to play." It's technically
the truth, but what are we supposed to do, revert all information systems to
non-electronic media? What is the intended takeaway from this statement? If
anything, it absolves data security efforts of responsibility by pointing out
that there's always a chance of data breach as long as there is data.

That's trivially true, but the proper response to bad security is good
security, not shutting down the whole system.

~~~
mkagenius
1\. Do not collect unnecessary information.

2\. Delete information after use.

~~~
GordonS
This will only happen when information becomes a liability.

------
txcwpalpha
This is yet another reminder that managing the security of your company's
third party contractors is just as important as managing your own company's
security. Security is a game of weakest links, and it wouldn't have mattered
if CBP's internal security was the best in the world if they were allowing
access to a third party that doesn't have good security.

It is naturally very difficult to enforce security mandates on a company that
isn't your own, but I feel that this is one of the best ways we can improve
security overall in our society: companies need to start requiring that
everyone they do business with have a strong, independently certified security
program, or else no contract will be signed. This is already done for things
like data center contracting, but it should be much more widespread and
encompass every type of b2b deal.

~~~
dpau
From the article: "The subcontractor's network was then hacked, though CBP
said its own systems had not been compromised."

No, actually your system _was_ compromised by allowing the subcontractor to
copy the data to another, more insecure network.

------
lr
Quote from the article:

“There should never have been the ability to download a database like this off
of government servers.”

Sorry that I don't have a ton of links to support this claim, but "believe me"
(as our Commander-in-chief would say) that the US Government would cease to
function if it were not for subcontractors (read, private companies)
performing tasks on behalf of the government. Personally, I don't agree with
this way of our government doing business, but that is the way it is.

When I was in college, I worked for an archeology lab, and our lab was the
subcontractor, of the subcontractor, of the contractor that had contracted to
provide a service to the USACE (US Army Corps of Engineers). And every way
along the way, money was skimmed off of the top. It's just "the American way"
of doing business.

People lament regulation all the time. I have a feeling the executives of
Ingersoll Rand love it every time a new regulation is put into place.

Follow the money.

------
koolba
> “CBP learned that a subcontractor, in violation of CBP policies and without
> CBP’s authorization or knowledge, had transferred copies of license plate
> images and traveler images collected by CBP to the subcontractor’s company
> network,” said an agency statement.

How long will it take the general public and elected officials to understand
that the only authorization that matters for digital data is the actual
implementation. Policies, legalese, mandates or any other agreements are
meaningless.

If the data can be get at from or transferred to outside of a controlled
environment, it will.

------
projectileboy
I’ll just keep saying this, and getting dismissed by everyone I know - any
data security discussion around a centralized data store that doesn’t begin
with the recognition that that data store _will_ be compromised, is a
discussion that is just a joke.

~~~
anigbrowl
You and a whole bunch of other people making the same extremely basic
observation. It would be good if you would suggest some alternative
strategies, since 'don't bother keeping that data' isn't a realistic option in
this context.

~~~
munchbunny
Part of my job is designing software that is resistant to amplification once
the hacker is already in, so maybe I can help here.

When you plan your security, step 1 is making it hard to get in, step 2 is
making it hard to persist, i.e. plant a command and control process somewhere
inside the perimeter, and to move laterally in the system, i.e. get from one
service into a more important service.

There's some basic stuff, such as firewall rules that prevent outbound traffic
from ports/processes you aren't expecting. That makes it harder for the
hacker's command and control systems to get instructions. There's other stuff
like using separate credentials for low sensitivity vs high sensitivity
systems, two-stage approval processes for especially sensitive operations to
prevent a single compromised user from being able to get to the good stuff,
automatic password rotation so that exfiltrated tokens aren't valuable, and
more.

Those are just single things though. I think the more interesting part is an
exercise like this: assume that the hackers have compromised a developer's
computer. In that case, what does a system look like that would prevent that
developer from exfiltrating payment info? I would argue that the developer
doesn't normally need access to real payment info, so maybe the network should
be configured so that the developer is unable to SSH into that set of database
servers without first requesting a special short-lived SSH keypair. That at
least means the developer has to explicitly ask for access. That doesn't make
the hacker's job impossible, it just makes it harder. Also makes things less
convenient for the developer, so is it worth the trade-off? For especially
sensitive data, it probably is. With this setup, maybe the hacker gets to the
account information, but they're stopped short of account numbers long enough
to notice the breach.

This is all on the theoretical side, but that's the thought exercise once you
go "let's pretend someone compromised ____ system."

~~~
CGamesPlay
One of my favorite Hacktober tricks was putting an alias around SSH on the
developers machine, so the next time they used 2FA to get into a remote host I
would drop a note into their MOTD (to prove persistence). That short-lived SSH
token would be enough to install persistence.

So obviously, your payment hosts should be very wary of things like port
forwarding over SSH, and any unknown outbound traffic.

~~~
munchbunny
Yup, at some point it just becomes an arms race.

The fundamental imbalance in such an arms race is that the tech giant might
have countermeasures that would prevent the SSH alias from working (my team
does), but the level of paranoia required to get those countermeasures in
place is beyond what a bank could effectively implement. This particular
battle disproportionately favors the red team.

And that's not to say that my team has everything covered. The red team
consistently manages to find forehead slapping holes in our defenses. There's
just too much surface area to cover.

------
Canada
Great job, thanks guys. Shouts to NSA and the whole security industrial
industrial complex for looking out for us. Glad to see all the research and
0day hoarding paid off. Really appreciate it.

------
jacquesm
You can outsource work, you can't outsource responsibility. It will likely be
a long time before the various powers that be really get this.

~~~
haberman
Isn't monetary liability a form of "outsourced responsibility"? I'm not
understanding why damages from lawsuits are not sufficiently motivating the
industry to take data breaches seriously. Maybe they just aren't awarding
enough damages to change behavior?

~~~
geggam
Think liability insurance, by the same companies who charge you healthcare. We
are spreading the cost of irresponsible folks across society then bailing out
the companies who make those choices.

------
savethefuture
The photos were transferred to a subcontractor’s network and later stolen
through a “malicious cyberattack,” a CBP spokesperson told TechCrunch in an
email.

Anyone think they approved the security of that subcontractor before giving
sensitive information to them?

More importantantly, why is that type of data leaving CBP in the first place?

~~~
txcwpalpha
> Anyone think they approved the security of that subcontractor before giving
> sensitive information to them?

They almost certainly did, actually. FIPS [1] and FISMA [2] are pretty strict
requirement for every company contracting with a government agency. IMO it's
one of the rare situations where, at least conceptually, the federal
government has done something right in terms of security.

Now whether FIPS/FISMA, and the people enforcing it, actually have any teeth
or effectiveness is a different topic entirely.

1:
[https://en.wikipedia.org/wiki/Federal_Information_Processing...](https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards)

2:
[https://en.wikipedia.org/wiki/Federal_Information_Security_M...](https://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002)

~~~
Johnny555
If Fedramp is like other security certifications, written policies can be used
in lieu of actual enforcement.

A policy could be something like:

"Vendor shall not move sensitive data out of CBP's secure network"

So it's pretty much on the honor system. And some new employee at the vendor
may not even be aware of all of the policies they are supposed to be
following. The vendor is still reponsible for that employees actions, but it
can be discovered too late (as in this case, the breach was already made)

But instead of just a written policy (among dozens or hundreds of others) that
people are expected to abide by, this could be enforced by limiting the
vendor's access to the network. For example, by counting how many records they
access, how many bytes of data they download over their connection to the
secure network, or not giving them direct access at all and exposing only an
API controlled be CBP that gives them access to only the data they require)..

------
DigitalVerse
Don't worry folks, I'm sure this won't hinder the CBP and other related
agencies from continuing to roll out systems that capture ever more of our
data.

------
utefan001
The sad truth is Congress is the biggest offender of poor network security
practices. Every time they bring in Equifax, DHS, etc to explain why they
didn't practice basic IT security due diligence or due care I am reminded of
the time smart people were hired to implement basic network security for
Congress. Once they realized Joe in IT (who was hired to keep hackers out) can
see Congressman Bob has a foot fetish, fish fetish, whatever, Congress told IT
to turn everything off.

~~~
drtillberg
Not far off from what it turns out (after investigation) really happened![1]

[1]
[https://en.m.wikipedia.org/wiki/Imran_Awan](https://en.m.wikipedia.org/wiki/Imran_Awan)

~~~
vageli
> Not far off from what it turns out (after investigation) really happened![1]

> [1]
> [https://en.m.wikipedia.org/wiki/Imran_Awan](https://en.m.wikipedia.org/wiki/Imran_Awan)

I don't see how that link supports your conclusion? From my reading of it, no
data was stolen by Imran Awan?

~~~
drtillberg
There were more serious allegations against the individual, but the gov't
dropped those claims. All that was left was the fact this individual had
extensive access to Congressional servers.

------
lsllc
Rule #1 about databases: It will be hacked. Rule #2: see rule #1

~~~
izzydata
That would imply that security is irrelevant. Maybe you should re-work your
rule the say that it will attempt to be hacked. Therefore you should always
worry about security.

~~~
smudgymcscmudge
I'm with OP here. You just shouldn't have unencrypted, sensitive data in a
database.

~~~
izzydata
I kind of think you've misunderstood something. This person said "You will be
hacked". A guaranteed absolute. If that were the case then why bother
protecting anything?

His wording was misleading. Not his intentions. Nobody is in disagreement that
security is very important.

~~~
munk-a
I disagree, his wording was pretty spot on. Don't collect personal data - it
will be hacked. At many of the businesses I've worked at I've made an effort
to lower our PII data blob purely to reduce liability for when it was
compromised. If you can see some information, a hacker eventually will.

Granted, lowering liability is apparently something I shouldn't worry about
since no one is ever held to account for breaches these days.

~~~
izzydata
If that is what he was going for then alright. My bad.

------
nihonde
Just another reminder that there is no accountability left in America, and you
reap what you sow. If you want a society that is accountable, you need to
start with a culture that values honor and takes shame seriously. You can’t
impose a sense of honor from the outside without building it slowly from
within, any more than you can impose respect without earning it.

If you ignore these principles, you make room for people who lack self-worth,
and those are the most destructive forces in a society because they have
nothing to lose.

------
lifeisstillgood
Can I play devils advocate here?

This is, of course, a serious breach and there will and should of course be
consequences for the negligent parties

but

I am struggling to see the threat model being faced here.

biometric data is _just_ a username. I flash my face around all day, and am
careless as to where I leave my thumbprint.

The loss of so many photos and names is unlikely to have national level
consequences (Compare this to say the Office Of Personnel management breach
from some years back - that has horrible implications for US National security
for decades) and the personal level consequences are ... hard to see

What this _does_ underline is that we are outrageously careless as an industry
with our data (comparable to early industrial "pollution" as Schneier points
out). And it is not going to get better without a) career and business ending
consequences b) new ways to store / secure data c) a new way of thinking about
who owns and what is personal data

Personally I think we need a new form of intellectual property (just as we are
trying to work out what kind of company FAANG are (not telcos, not newspapers,
what _is_ a platform?) we need to ask what is personal data

This comment is presumed under law to be _my_ property, my copyright. I might
license that property away (dunno never read HN T&Cs) but it is mine. But
google and apple and others will track that I sat down at a certain time and
place to write it, my ISP will see when I sent to which servers.

All of that data is also _created_ by my conscious actions - should that data
not also be _my_ property. And if need be licensed - and compensated for its
use?

And when (if) my data is held - then we should presume that it can be accessed
by my agents for my benefit (from spending patterns to heart data). I would
argue that Sometimes surveillance can be good for us - but only in ways
similar to doctors knowing more about me can be good for me - the entire
industry of medicine has individual interests at its heart and took a long
time to get there.

We are heading in that direction (perhaps) but till we get there, carelessness
will be the cheapest option, surveillance always bent agansit is (by state or
other actors). We should rail against this stupid dumb breach, but punishing
the "bad guys" is not even the first step on the road.

If I can make a bad analogy - It's not one incident that people got sick from
one chef badly cooking chicken - it's we need to look at factory farming and
meat consumption and healthy eating and marketing bias as a whole.

~~~
Macross8299
>I am struggling to see the threat model being faced here.

We don't really know the full details of the breach, but if the facial
recognition database contained names in a column associated with pictures,
that data can absolutely be leveraged and cross-referenced against other
"fullz" for fraud that even passes a lot of online verification procedures.

~~~
lifeisstillgood
I agree that we don't know what was lost, and it could _easily_ be waaay worse
than I imagine

But this kind of comes back to my point - why do we have online verification
systems that rely on things like knowing my address in the last three years -
Equifax breach should have meant we gave up on using a credit risk scoring
system as an identity provider.

But we don't.

We need to rethink what is identity (start with web of trust) and who owns
data that links to that identity.

I mean this could be the start of a positive identity provider - grab that
downloaded database and provide a system that says this is a picture of Paul
Brian's face, and his passport, and on the 20th August last year a official of
the US government compared them in real life and verified they matched (there
may even be a hash of the digital images made at the time but I should not get
my hopes up)

Now make that globally available. Is that useful and valuable - I think so. I
would prefer if I had been able to upload my public key to that at the same
time (I can always visit NYC again) but you get the idea. This leads to
question like why does my passport not generate a key pair for me to use? Can
I use facial recognition to match my gravatar / facebook / twitter ? Why is
knowing a non-secret (mother's maiden name, passport or drivers license
number, three digits on back of credit card) seen as security?

Why is it we use what we have to hand and not what is needed? Why don't
american banks use chip and pin?

It's not bad that my online identity is clear and visible - as long as the
legal and practical frameworks exist to support it - which they basically
don't right now but we could make it happen

------
noonespecial
They've helped themselves to what seems to be limitless legal power as well as
a functionally infinite budget... and still this type of incident doesn't
surprise us in the least. Everyone just expects them to be one of the least
competent actors in the space. And they don't disappoint. Hmmm.

------
chuckgreenman
If only someone could have seen this coming, you know, outside of the
thousands of people that saw this coming. This is just one of many reasons why
mass surveillance is a terrible.

~~~
dsfyu404ed
Why is it terrible. Sure this has the potential to have negative consequences
for the people who's data it was but as far as the government cares it's
working fine.

~~~
roboys
Now the innocent muslim community (who I expect are over-represented in these
databases) gets to enjoy identity theft.

It's just a pile on at this point.

~~~
dhruvrrp
It says license plate images from a single point of entry so it probably
represents majority Mexican or Canadian people.

------
jonahhorowitz
Who could have predicted this would happen?

~~~
melan13
anyone ? Why is a 3rd party given the ability to store such a large database
to conduct such business ? They should at most store the last 3 months border
documents, nothing older than this.

~~~
juandazapata
I _think_ OP was trying to be sarcastic.

~~~
fourier_mode
I think you can remove the "think".

------
wil421
CBP database with images of travelers and license plates breached via a
subcontractor with access to CBPs network. Updates to follow.

Nothing else in the article.

------
rdiddly
"First you say don't take your pictures. Then you say don't lose them in a
breach. Make up your minds!"

------
souterrain
If CBP is not directly forthcoming with facts relating to the breach
(specifically, whose information was unlawfully taken from the CBP production
network) how does one seek redress for the harms created by the actions of the
contractor?

------
a3n
I haven't crossed the border in twenty years but I'm probably in this or a
related database.

I'm a long distance trucker. A few weeks ago I was traveling north from
Laredo. When i drove through the border patrol checkpoint, a bank of five or
six cameras to my right flashed, i assumed getting my face, license plate, and
likelihood of committing a crime in the near future.

The truck is registered to my employer, but I'm sure that can lead to me with
a WHERE clause.

At the least they would know where they've seen this face in this truck. I
wonder if being in a different truck would be suspicious. I guess it would be
if they needed it to be.

------
mehrdadn
Seems reasonable for the federal government to pay states to send new license
plates to affect the compromised ones? I'm not under the impression license
plates aren't recorded in public anyway, but still.

------
SanchoPanda
"...though CBP said its own systems had not been compromised."

That's one way of looking at it.

------
IOT_Apprentice
The amazing thing is we became aware of this practice back in early May. It is
now June and it has been hacked.

------
dmitrygr
A large collection of valuable data that was questionably secured was somehow
stolen!? Say it ain't so!

------
javagram
> “Initial information indicates that the subcontractor violated mandatory
> security and privacy protocols outlined in their contract,” the statement
> read.

Could this lead to criminal charges? Perhaps charging the contractor under
CFAA for unauthorized access?

~~~
olliej
Only if the contractor was not meant to have access to this data. I would put
money on them being contracted to "securely manage" the data CBP accrued
without consent.

------
netsec_burn
Sounds like Perceptics.

~~~
mzs
seems very likely, wapo journo broke this and it's alluded to:
[https://wapo.st/2ItjHfW](https://wapo.st/2ItjHfW)

~~~
sehugg
The Register reported the Perceptics breach on May 23:
[https://www.theregister.co.uk/2019/05/23/perceptics_hacked_l...](https://www.theregister.co.uk/2019/05/23/perceptics_hacked_license_plate_recognition/)

~~~
mzs
Sorry I was unclear and linked to the wrong article, I meant that wapo journo
poking around led to DHS & CBP responding on the record. It was one in the
line of recent articles about facial recognition that travelers can opt-out of
but nobody is sure how exactly you are supposed to do so. The wapo article I
linked did attribute The Register info linking Perceptics. Both wapo articles
are linked in this tweet:
[https://twitter.com/geoffreyfowler/status/113817627922244403...](https://twitter.com/geoffreyfowler/status/1138176279222444032)

> And on Monday, after I published this column online, Department of Homeland
> Security officials called me to disclose that photos of travelers were
> recently taken in a data breach, accessed through the network of one of its
> subcontractors.

------
mattnewton
And that’s why I don’t want my face as my passport.

------
dwho168
Funny how I was just reading another article about this this morning..

[https://www.washingtonpost.com/technology/2019/06/10/your-
fa...](https://www.washingtonpost.com/technology/2019/06/10/your-face-is-now-
your-boarding-pass-thats-problem/?utm_term=.a6fafa0861f4)

------
whygovwhy
To me the real question is why is a subcontractor able to copy the entire
database? Why wouldn't the government only allow limited access to the
database to these contractors?

------
pseudolus
Fair compensation to those whose biometric information has been compromised
should, at the very minimum, include free plastic surgery - in similar
situations where social security numbers have been offered the government has
provided new replacement social security numbers, so there is precedent.
Seriously though, this highlights the danger of databases of biometric
information, there's no way of remedying the damage because there's no
credible way of altering one's personal biometric markers.

~~~
dawnerd
Or let this be proof that biometrics are a terrible way to verify someone's
identity.

------
mehrdadn
Where did the license plate information come from?

~~~
ggcdn
I would think it's from cameras at vehicle border crossings. You can see an
example here:
[https://goo.gl/maps/GRAY5GVnAYLr7aSZ8](https://goo.gl/maps/GRAY5GVnAYLr7aSZ8)

~~~
velosol
Not just land border crossings - there are also CBP-maintained checkpoints [1]
within the '100-mile zone'.

[1]:
[https://goo.gl/maps/Nfk1XjUFGsNh5QD29](https://goo.gl/maps/Nfk1XjUFGsNh5QD29)

------
freewizard
I would like to know:

how many individuals and vehicles has been impacted?

anyway we can hold the agency and its contractors accountable for this issue?

------
d33
> CBP requires that all contractors and service providers maintain appropriate
> data integrity

Requires, but how do they enforce it?

------
ljm
According to the report, CBP is passing the buck on this one.

They created policies that could be ignored. That’s on them. They shouldn’t be
able to use their position to avoid accountability or to scapegoat their
contractors (that they likely hired without due diligence).

Government agencies should never be seen as victims. They hold power and
authority that nobody else can hope to enjoy. There is no higher power to hold
them to account because the electorate had already been subverted to maintain
their position. So they should not be protected from fucking up. In this
context, God or the Lord is not a higher power, it is also a scapegoat.

With great power comes everybody else’s responsibility... said only by people
in this century.

Edit: to follow this up, CBP is also the agency that sucks up all the data on
your phone and laptop. They have treasure troves of license plates, passport
photos, and titty and dick pics.

They cannot absolve themselves of liability when they are invading everybody’s
privacy. If they say they don’t use the data, and they are acting out of
ignorance, then that’s a solid case for not collecting it in the first place.

As it stands, the US needs a GDPR.

~~~
kevin_b_er
Indeed. CBP made the choice to subcontract w/o proper controls. It is still
CBP's fault.

~~~
MrMorden
Given that the contractor violated the data handling rules in their contract,
the only possible remedy is revocation of their facility security clearance,
followed immediately by revocation of the personnel security clearances of
everyone who claimed that these systems were operating in accordance with
their SSPs.

I'd like to believe that this will happen, but I've seen plenty of cause for
FSCs to be revoked and almost no FSC revocations.

~~~
icelancer
And remunerations for all citizens that were affected in the form of cash
payments.

~~~
zaphirplane
S/citizens/Anyone/

------
exabrial
Great, maybe it can fine itself for the breach. And by that, meaning it can
return my tax money to me.

------
sailfast
It is clear from the tenor of some of the posts here that more of you need to
work for some non-zero time in the government so you can have some empathy /
appreciation here. They’re hiring.

~~~
mattnewton
The same org separating children from their families at the border in
violation of a court order? Why would I take a pay cut to work for that
mission?

I don’t fault the engineers in any case, it seems like their technical
security wasn’t tested here; it was some kind of policy failure that lead to
the information leaving government control. And that’s the problem, we don’t
solve this with engineering, or empathy for engineers, we solve this by
letting legislators know what we feel and know as members of the industry,
through letters and the ballot box.

~~~
sailfast
I meant government in general - not CBP. Without having worked in the federal
space, it’s likely a lot of the context of this - policies, procurement,
onboarding, security, etc is lost. Probably should have clarified and I
deserve the downvotes. Agreed that CBP’s mission at the moment is a serious
problem.

------
ChymeraXYZ
Can I sue them for negligence with my personal information under GDPR as a EU
citizen?

------
mg794613
Nobody saw this coming or warn about this...

------
sbov
It's not clear to me if the whole database was downloaded and leaked or just
part of it. Anyone know?

------
mehrdadn
> CBP’s networks were unaffected by the breach.

Why did citizens' private data leave CBP systems in the first place?

------
tyleregeto
Ccdwd

------
lr
Same story that is also trending on the HN homepage right now... My comment
from that story which is from
([https://www.buzzfeednews.com/article/daveyalba/the-us-
govern...](https://www.buzzfeednews.com/article/daveyalba/the-us-governments-
database-of-traveler-photos-has-been)):

Quote from the article: “There should never have been the ability to download
a database like this off of government servers.”

Sorry that I don't have a ton of links to support this claim, but "believe me"
(as our Commander-in-chief would say) that the US Government would cease to
function if it were not for subcontractors (read, private companies)
performing tasks on behalf of the government. Personally, I don't agree with
this way of our government doing business, but that is the way it is.

When I was in college, I worked for an archeology lab, and our lab was the
subcontractor, of the subcontractor, of the contractor that had contracted to
provide a service to the USACE (US Army Corps of Engineers). And every way
along the way, money was skimmed off of the top. It's just "the American way"
of doing business.

People lament regulation all the time. I have a feeling the executives of
Ingersoll Rand love it every time a new regulation is put into place.

Follow the money.

~~~
grecy
> _Quote from the article: “There should never have been the ability to
> download a database like this off of government servers.”_

I love when I read quotes like this that are so obviously written by non-tech
people that have no idea what they're talking about.

As we at HN all know, if it exists digitally, it can - and will - be
downloaded. End of story.

------
icelancer
The government is never held accountable for mistakes they make. They are, in
fact, too big to fail.

~~~
DoofusOfDeath
> The government is never held accountable for mistakes they make.

In a functioning democracy "they" is "us".

~~~
komali2
We don't necessarily have a functioning representative democracy, though - too
much power is held by lobbyists, the fact that politicians can lie to the
population, and the fact that our votes don't 1:1 elect officials due to
gerrymandering and voter suppression.

~~~
ljm
Too much power is given to money and wealth. This has held true for thousands
of years in Western civilisation (back in Ancient Greece, wealth was measured
by output, the Pentekosiomedimnoi being the aristocrats).

The whole setup seems more and more like a grand cash grab.

~~~
icelancer
It's actually mostly just pure laziness.

[https://history.house.gov/Historical-
Highlights/1901-1950/Th...](https://history.house.gov/Historical-
Highlights/1901-1950/The-Permanent-Apportionment-Act-of-1929/)

 _The Permanent Apportionment Act of 1929_ was enacted because it was "too
hard" for Congress to rezone/redistribute House of Representative members.
This measure, and ones like it both in law and in business, create large
bureaucratic organizations that move slowly and are prized for their
stability, which is another word for "zero accountability or disruption."

Very few people set out to have growing inequality of resources or to amass
power for the sake of doing it, though of course the people in power now seek
to keep it for the sole reason of not wanting to lose it (they frame it as
"too big to fail," "stability is important," and so forth).

It's just pure inertia. We went away from smaller regional governments that
reports up to a lightly-empowered federal one with a lot of individual liberty
step by step, for convenience and for "safety" (any number of military or
police actions, foreign and domestic), and we get what we deserve.

------
dannykwells
We are living in a boring, yet somehow equally terrifying, dystopia.

~~~
dflock
[https://www.reddit.com/r/aboringdystopia](https://www.reddit.com/r/aboringdystopia)

------
spsrich2
Astonishing! I never thought for a moment this data would end up getting
lifted !

