A car-mounted LPR
Photo: Danny Johnston (AP)

Perceptics, the firm that bills itself as “the sole provider of stationary LPRs” (license plate readers) at border crossing lanes for privately owned vehicles in the U.S., has been hacked. Tens of thousands of its internal files are now reportedly floating around the dark web for anyone to download.

According to The Register, which broke the story yesterday, the hack was carried out by a person of group using the alias “Boris Bullet-Dodger.” It’s believed Boris also hacked a vendor by the name of CityComp last month, leaking customer data after the firm opted not to pay a ransom. Perceptics has confirmed the breach, but it’s unclear if Perceptics’s now-public data was also the result of a failed ransom.

In total, the exfiltrated data contained around 65,000 “file names and accompanying directories,” according to the Register. Beyond internal documentation and financial information, some of the filetypes suggested the contents included location data, as well as images which could be license plate scans themselves. Whether these are scans made by actual clients, government or otherwise, is unknown. Casey Self, Perceptics’s director of marketing, declined to answer specific questions, responding to an email from Gizmodo by writing, “All I can say is that the investigation is ongoing.”

Among those clients are U.S. Customs and Border Protection and the DEA. While license plate captures might seem relatively benign, when cross-referenced against other databases, they can be used to track the movements of individuals with alarming specificity. And while LPRs are deployed at seemingly natural security checkpoints—like borders—they’ve also seen use in domestic surveillance, such as in California’s Sacramento County, where officials tracked the movements of welfare recipients. In 2013, the ACLU called this tech “a tool for mass routine location tracking and surveillance.” The Electronic Frontier Foundation has also condemned blanket spying programs using LPRs, such as in 2014, when the Los Angeles Police Department tried to argue that “All [license plate] data is investigatory.”

The Register notes that, in addition to a trove of potentially sensitive data, a number of music files were included in the data dump:

Among the songs: Superstition, by Stevie Wonder, and Wannabe by Spice Girls, and a variety of AC/DC and Cat Stevens songs.

Not exactly the soundtrack to the panopticon we’d imagined.

As always, if you have a tip about any this hack—or just know the other songs on in the hack and want to make us a playlist—don’t hesitate to reach out. We’re available via email, Keybase, or anonymously via our Secure Drop server.