A significant security vulnerability at U.S. Customs and Border Protection has emerged through an unexpected channel: online study flashcards. A public Quizlet set created in February 2024 contained highly sensitive operational information about CBP facilities near Kingsville, Texas, including specific entry codes and internal security procedures.

The Digital Paper Trail

The flashcard set, titled “USBP Review,” remained publicly accessible until March 20, when it was made private within thirty minutes of WIRED reaching out to a phone number potentially linked to the Quizlet user. The timing raises questions about whether current CBP personnel or contractors may have inadvertently exposed classified operational details while preparing for examinations or training.

According to the investigation, an individual with the user’s name was listed at an address less than a mile from a Kingsville CBP facility, though WIRED could not definitively verify that the flashcard creator was an active CBP agent or contractor.

Compromised Operational Security

The exposed information included specific four-digit access codes for checkpoint doors and facility gates. Multiple cards asked for entry combinations to different sections of the facility, with exact numerical codes provided as answers. The flashcards also detailed immigration offense procedures, federal charges, and forms required for various enforcement actions.

Additional cards revealed the Kingsville workforce’s 1,932-square-mile area of responsibility, including county boundaries and internal organizational systems. Eleven CBP “towers” in the region were named, with some corresponding to the compromised gates and access points.

Internal Systems Exposed

Perhaps most concerning was the detailed description of “E3 BEST,” an internal CBP system that allows officers to “record, investigate and adjudicate secondary referrals at USBP checkpoints.” The flashcard explained that this system enables simultaneous queries of “subjects and vehicles through multiple law enforcement databases” and creates “e3 Events for referrals resulting in an arrest.”

Such operational details, if accessible to hostile actors, could compromise checkpoint procedures and potentially endanger both officers and legitimate travelers crossing the border.

Pattern of Security Challenges

This incident occurs against a backdrop of ongoing cybersecurity vulnerabilities within CBP. The Department of Homeland Security’s Inspector General documented a major 2019 breach where a subcontractor, Perceptics LLC, transferred copies of CBP’s biometric data to its own network without authorization, ultimately compromising approximately 184,000 traveler images when the contractor’s systems were subjected to a malicious cyber attack.

The 2019 incident highlighted how third-party partnerships can create unexpected security vulnerabilities, while the current flashcard exposure demonstrates how routine training materials can become vectors for information compromise.

Agency Response and Implications

CBP’s Office of Professional Responsibility is reviewing the incident, though the agency emphasized that “a review should not be taken as an indication of wrongdoing.” Quizlet responded by stating they “take reports of sensitive or inappropriate content seriously” and encourage users to report concerning material.

The breach comes during CBP’s rapid hiring surge, with recruitment and retention incentives up to $60,000 for new agents. Immigration and Customs Enforcement is similarly expanding, offering $50,000 signing bonuses and up to $60,000 in student loan repayment. This aggressive recruitment may be contributing to security protocols being overlooked in favor of expedited training processes.

Broader Security Implications

The flashcard incident underscores how digital learning platforms, while beneficial for training, can become unintended repositories of sensitive government information. Unlike traditional classified documents with clear handling procedures, study materials often exist in a gray area where security protocols may be less rigorously applied.

The White House’s FISMA Annual Report documented eleven major government cybersecurity incidents in 2023, with nearly 32,211 total cybersecurity events reported across federal agencies. This represents a ten percent increase from the previous year, suggesting that government security vulnerabilities are becoming increasingly common rather than isolated incidents.

For CBP, an agency tasked with safeguarding the American homeland, such exposures potentially damage public trust in the government’s ability to protect sensitive operational information. The incident also raises questions about training protocols and whether adequate security awareness exists among personnel who handle classified operational details.

This article draws on reporting from Ars Technica and DHS Office of Inspector General.