Full Report
Newly released data shows Customs and Border Protection funneled the DNA of nearly 2,000 US citizens—some as young as 14—into an FBI crime database, raising alarms about oversight and legality.
Analysis Summary
# Incident Report: Unauthorized DNA Collection and Submission to CODIS by DHS/CBP
## Executive Summary
Between 2020 and 2024, the Department of Homeland Security (DHS), primarily through Customs and Border Protection (CBP), engaged in the systematic collection of DNA samples from US citizens, including minors, without authorization or statutory justification, and submitted these samples (nearly 2,000 known citizen profiles) to the FBI's national crime database (CODIS). This expansion of genetic surveillance, often justified under civil enforcement rather than criminal arrest, has created significant privacy and legal concerns, threatening heightened monitoring for those included.
## Incident Details
- **Discovery Date:** Not explicitly stated, but the analysis of newly released government data that revealed the scope occurred sometime before September 23, 2025.
- **Incident Date:** Ongoing collection activity spanning 2020 through 2024.
- **Affected Organization:** Department of Homeland Security (DHS) and Customs and Border Protection (CBP).
- **Sector:** Government/Law Enforcement/Border Security.
- **Geography:** United States (DNA collection occurring at points of entry/detention).
## Timeline of Events
### Initial Access
- **Date/Time:** Beginning around April 2020.
- **Vector:** Change in DOJ policy and subsequent agency actions facilitated mass DNA collection under civil authority.
- **Details:** An April 2020 Justice Department rule revoked a waiver, allowing DHS to skip DNA collection exemptions for immigration detainees, effectively green-lighting mass sampling from individuals who have not been charged with a crime.
### Lateral Movement
*This incident does not involve network intrusion or traditional lateral movement, but rather the transfer of data (DNA profiles) between agency systems.*
- **Progression:** CBP collected DNA samples (cheek swabs) from individuals, including US citizens and minors.
- **Transfer:** These profiles were funneled into the FBI’s Combined DNA Index System (CODIS).
### Data Exfiltration/Impact
- **Impact:** Nearly 2,000 US citizens' DNA profiles were entered into CODIS between 2020 and 2024, including approximately 95 minors (some as young as 14).
- **Scope:** DHS contributed roughly 2.6 million profiles to CODIS since 2020, 97% of which were collected under civil, not criminal, authority. If unchecked, DHS may account for one-third of CODIS by 2034.
### Detection & Response
- **Detection:** Analysis of newly released government data by Georgetown Law’s Center on Privacy & Technology brought the scope of the unauthorized collection to light.
- **Response actions taken:** (No immediate organizational response actions mentioned; the reporting serves as the primary alert or external pressure point.)
## Attack Methodology
*Note: This addresses the methodology of the *Programmatic Action* rather than a traditional intrusion.*
- **Initial Access:** CBP officers exercised broad discretion during border encounters or detentions to demand cheek swabs.
- **Persistence:** DNA profiles, once in CODIS, lead to lifelong potential scrutiny by law enforcement.
- **Privilege Escalation:** Invoking civil penalties or leaving the "charges" field blank as justification for swabs reserved for criminal arrests.
- **Defense Evasion:** The program operated outside the bounds of statutory authorization and existing oversight mechanisms.
- **Credential Access:** N/A (Genetic data, not passwords, were compromised).
- **Discovery:** N/A (Program was internal until external analysis).
- **Lateral Movement (Data Flow):** Transfer of genetic profiles from DHS systems to the FBI's CODIS database.
- **Collection:** Cheek swabs (DNA samples) collected from American citizens, including minors.
- **Exfiltration (Data Sharing):** Transfer of profiles to the centralized FBI CODIS system.
- **Impact:** Creation of a permanent, unvetted genetic record in a national criminal database for millions, including US citizens with no criminal basis for inclusion.
## Impact Assessment
- **Financial:** Not estimated in the context.
- **Data Breach:** Sensitive biometric/genetic data (DNA profiles) of nearly 2,000 US citizens entered into a system intended for criminal offenders.
- **Operational:** The flood of submissions strained the FBI's CODIS system, leading to a backlog of approximately 650,000 unprocessed kits by 2023, slowing down investigative leads for actual criminal cases.
- **Reputational:** Significant loss of trust in DHS/CBP regarding privacy and statutory adherence.
## Indicators of Compromise
*Focusing on system overloading and data corruption/misclassification:*
- **Network indicators:** N/A (Internal operational policy change).
- **File indicators:** DNA profile submissions that are flagged as being generated under "civil authority" rather than criminal charges, or profiles lacking corresponding charge information.
- **Behavioral indicators:** Unprecedented monthly submission rates (rising from a few thousand to 92,000 per month between 2020 and 2023).
## Response Actions
- **Containment measures:** N/A (The systemic issue requires legislative or policy reversal, not typical technical containment).
- **Eradication steps:** N/A (The article implies removal/scrubbing of unauthorized profiles from CODIS is needed, but specifics are not detailed).
- **Recovery actions:** N/A (The recovery involves restoring appropriate legal oversight and ensuring compliance).
## Lessons Learned
- **Key takeaways:** Federal agencies expanded genetic surveillance far beyond Congressional authorization, leveraging policy changes (April 2020 DOJ rule) to weaponize a system (CODIS) initially meant for violent crime investigations against general population groups.
- **What could have been done better:** Stronger Congressional oversight of agency policy implementations, especially those involving biometric collection from citizens and minors.
## Recommendations
- Immediate review and audit of all DHS/CBP DNA profiles submitted to CODIS since 2020 to identify and purge entries from US citizens or individuals lacking statutory justification (i.e., criminal arrest).
- Re-establish clear statutory boundaries preventing the mass collection of DNA from individuals held solely on civil immigration grounds.
- Implement stricter procedural controls to ensure DNA collection only occurs when explicitly authorized by federal statute for criminal investigations.