U.S. Customs and Border Protection has confirmed a data breach has exposed the photos of travelers and vehicles traveling in and out of the United States.
The photos were transferred to a subcontractor’s network and later stolen through a “malicious cyberattack,” a CBP spokesperson told TechCrunch in an email.
CBP’s networks were unaffected by the breach.
“CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” said an agency statement.
“Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract,” the statement read.
The agency first learned of the breach on May 31.
When asked, a spokesperson for CBP didn’t say how many photos were taken in the breach or if U.S. citizens were affected. The agency also didn’t name the subcontractor.
The breach comes weeks after a report said Perceptics, a government contractor, which claims to be the “sole provider” of license plate readers at U.S. land borders, was breached and its data was dumped on the dark web. It’s not known if the two incidents are linked. But according to the Washington Post, a Microsoft Word document containing the statement included “Perceptics” in the title. (TechCrunch received the statement as text in an email.)
CBP, however, said that ‘none of the image data has been identified on the Dark Web or internet.”
A spokesperson for Perceptics did not immediately comment.
It remains unclear exactly what kind of photos were taken, such as if the images were collected directly from CBP officers by visitors entering the U.S. or part of the agency’s rollout of facial recognition technology at U.S. airports. A person familiar said it likely had no connection to the use of facial recognition by airlines as their systems match but don’t store facial data.
The agency, which processes more than a million travelers entering the U.S. every day, maintains a database of traveler images, including passport and visa photos. The database has come under fire from a federal watchdog, which said the accuracy of the system was subpar.
More than a dozen U.S. airports are already rolling out the facial recognition technology, with many more to go before the U.S. government hits its target of enrolling the largest 20 airports in the country before 2021.
CBP said it had notified members of Congress and is “closely monitoring” CBP-related work by the subcontractor.
News of the CBP breach has drawn ire from the civil liberties crowd, which have long opposed the collection of facial recognition at the border.
In remarks, ACLU senior legislative counsel Neema Singh Guliani said the breach “further underscores the need to put the brakes” on the government’s facial recognition efforts.
“The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place,” she said.