Canada's border agency is still using Perceptics's licence plate reader equipment, even after the company fell victim to a recent malicious cyberattack in the U.S.
Earlier this month, news surfaced that photos of travellers and licence plates collected for U.S. Customs and Border Protection had been compromised in a May privacy breach.
The Canada Border Service Agency, which uses the same plate reader technology employed by U.S. Customs and Border Protection, launched a review to see if the breach involved Canadians and affected CBSA's operations at all.
"The CBSA remains in contact with Perceptics on a daily basis to get updates on recent events and their actions on how they are addressing it," said agency spokesperson Nicholas Dorion in a followup email to CBC.
"At this time, the CBSA continues to utilize the Perceptics licence plate reader equipment. While we continue to work towards a full forensic investigation, the vendor has implemented measures to prevent re-occurrence of a similar breach and will continue to adjust its security protocols as necessary."
The federal agency refused to say where it's using Perceptics's technology, arguing that would "jeopardize its operations."
Based on the hacked files, CBC News was able to identify two dozen locations Perceptics equipment was sent to, from Huntingdon, B.C., to Andover, N.B.
U.S. Customs and Border Protection officials were quick to downplay last month's hack, saying that fewer than 100,000 photos had been compromised and that none of the files had been posted to the darker corners of the internet.
However, someone using the pseudonym "Boris Bullet-Dodger" contacted the tech website The Register to share a link to the hacked files on the dark web.
The Register shared that link with CBC News.
The massive trove includes Internal Perceptics files such as payroll information, travel receipts, non-disclosure agreements and customs declarations. It also contains information on their competitors and even several music playlists.
The posted files also name a number of Perceptics's past and present clients with Canadian ties.
Other Canadian companies, departments used Perceptics
International Road Dynamics, which runs traffic weighing stations in almost every province, said while they use Perceptics's cameras, the contractor doesn't have access to their systems.
"We have not been advised that any of our data was included in the breach," said spokesperson Dave Mason in an email to CBC News.
Halifax Harbour Bridges hired Perceptics to conduct a licence plate study in the spring and summer of 2018, but the authority also says it doesn't believe any private information was jeopardized.
"Any security breach is concerning. The scope of the project required that no information leave HHB premises. Therefore, we are confident no customer information was compromised," said spokesperson Alison MacDonald.
The Buffalo and Fort Erie Public Bridge Authority confirmed it purchased Perceptics cameras, but said the company doesn't control any of the data.
"In 2016 we did purchase Perceptics cameras for licence plate and facial recognition cameras for pilot program testing for commercial (trucks) entries only into the United States as [a] means of expediting commercial border crossings. This program is administered solely by (U.S. Customs and Border Protection)," said general manager Ron Rienas.
Another federal department, the Canada Revenue Agency, had a contract with the company up until 2014.
"We can confirm that there are no indications that CRA systems have been compromised. To ensure the integrity of CRA systems, we have a team of experts that work 24/7 to prevent, detect and investigate all security incidents," said spokesperson Dany Morin.
So far, the CBSA says it hasn't been contacted by the individual or individuals behind the hack and hasn't received any demands.
CBSA has named Perceptics as the target of the hack — but U.S. customs hasn't. However, the Washington Post reported that a Microsoft Word document of a U.S. Customs and Border Protection public statement, sent to reporters, included the name "Perceptics" in the title ("CBP Perceptics Public Statement").
In describing the breach, U.S. officials said the subcontractor transferred copies of images to its company network without the agency's authorization, violating U.S. government policy.
That doesn't seem to be the case for the Canadian side. Public Services and Procurement Canada has reviewed the Canadian contract and told the CBSA the vendor complied with all the terms.
CBSA has issued dozens of contracts to Perceptics for its licence plate reader and radio frequency identification services since 2015, totalling more than $21 million. The agency said it has no immediate plans to switch providers.
"The agency is continuing its review and assessment of the impacts, if any, of the latest event and will decide if action is required once the assessment is completed," said Dorion.
Perceptics has not responded to CBC's request for comment.