U.S. Customs and Border Protection has confirmed a data breach has exposed the photos of travelers and vehicles traveling in and out of the United States.
The photos were transferred to a subcontractor’s network and later stolen through a “malicious cyberattack,” a CBP spokesperson told TechCrunch in an email.
CBP’s networks were unaffected by the breach.
“CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” said an agency statement.
“Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract,” the statement read.
The agency first learned of the breach on May 31.
A spokesperson for the agency later said the security incident affected “fewer than 100,000 people” through a “few specific lanes at a single land border” over a period of a month and a half.
“No passport or other travel document photographs were compromised and no images of airline passengers from the air entry/exit process were involved,” the spokesperson said.
The agency did not name the subcontractor.
The breach comes weeks after a report said Perceptics, a government contractor, which claims to be the “sole provider” of license plate readers at U.S. land borders, was breached and its data was dumped on the dark web. It’s not yet known if the two incidents are linked. But according to the Washington Post, a Microsoft Word document containing the statement included “Perceptics” in the title. (TechCrunch received the statement as text in an email.)
CBP, however, said that ‘none of the image data has been identified on the Dark Web or internet.”
A spokesperson for Perceptics did not immediately comment.
It remains unclear exactly what kind of photos were taken, such as if the images were collected directly from CBP officers by visitors entering the U.S. or part of the agency’s rollout of facial recognition technology at U.S. ports of entry.
A CBP spokesperson did not return a follow-up email.
The agency processes more than a million travelers entering the U.S. every day.
CBP said it had notified members of Congress and is “closely monitoring” CBP-related work by the subcontractor.
Ron Wyden, a Democratic senator vocal on national security issues, said the government “needs to explain exactly how it intends to prevent this kind of breach from happening in the future.”
“This incident should be a lesson to those who have supported expanding government surveillance powers – these vast troves of Americans’ personal information are a ripe target for attackers,” said Wyden.
News of the CBP breach has drawn ire from the civil liberties crowd, which have long opposed the collection of facial recognition at the border.
In remarks, ACLU senior legislative counsel Neema Singh Guliani said the breach “further underscores the need to put the brakes” on the government’s facial recognition efforts.
“The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place,” she said.
Updated with new information from CBP.