CBP put personally identifying information of travelers at risk by failing to make sure it was using the most current versions of apps it uses in its Mobile Passport Control program, an IG report has said.
A report said that over July 2017-December 2019, more than 10 million travelers used one or more of the apps, which operate on different mobile phone operating systems, to expedite them through the primary inspection process when entering the United States. U.S. citizens and Canadians may use the apps at 29 participating U.S. international airports or four seaports of entry.
The report called the apps “susceptible to vulnerabilities that create security risks . . . When travelers use the app, they transmit their PII to CBP through the app developer server sites, which creates additional risk.”
It said that CBP officials :relied on version updates from app developers but were not always notified when updates occurred. Additionally, CBP did not always identify vulnerabilities detected in scan results because CBP guidance does not require a review of all results.”
The agency also did not complete some required security and privacy compliance reviews and “did not implement specific hardware and software configuration settings on MPC servers to protect them from vulnerabilities because CBP incorrectly believed it could phase in the settings.”
It said agency management agreed with its recommendations.