US Customs and Border Protection announced Monday photos of travelers and license plates were recently compromised in a data breach.
In a statement, CBP said it learned on May 31 that a subcontractor “had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network. The subcontractor’s network was subsequently compromised by a malicious cyber-attack.”
The agency has notified Congress and is working with law enforcement and cybersecurity entities to “determine the extent of the breach and the appropriate response,” according to the statement.
The Washington Post first reported on the data breach.
CBP said its own systems had not been compromised, and the agency writes that, as of Monday, “none of the image data has been identified on the Dark Web or internet.”
The subcontractor “violated mandatory security and privacy protocols outlined in their contract,” according to CBP, which said it was unaware of the image copies transfers.
“CBP takes its privacy and cybersecurity responsibilities very seriously,” the statement reads, “and demands all contractors to do the same.”
It’s unclear exactly which type of images were compromised during the attack, but it comes as CBP moves to expand its biometric data collection through facial recognition exit technology at airports.
Last fall, airport and federal officials showed off facial recognition technology, designed to replace the paper boarding pass and speed up the international flight boarding process.
John Wagner, the deputy executive assistant commissioner at CBP, said at the time that the technology is in response to a mandate from Congress that the Department of Homeland Security develops a system for tracking foreigners’ arrivals and departures from the United States. “Everybody knows how to pose for a picture,” said Kevin McAleenan, who was then serving as CBP commissioner and now serves as the acting secretary of Homeland Security.
Privacy advocates pushed back on the move last year and are again arguing for a slow-down of CBP’s information collection efforts.
“This breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travelers, including license plate information and social media identifiers,” said American Civil Liberties Union spokeswoman Neema Singh Guliani in a statement.
“This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices,” Singh Guliani added. “The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place.”