US Customs and Border Protection (CBP) officials on Monday said that one of its subcontractors had been breached in a “malicious cyberattack,” exposing images of travelers coming in and out of the country.
Less than 100,000 people had their information compromised by the attack, according to a law enforcement official.
The database, which comprised of photos of people’s faces and license plates, had been transferred to the subcontractor’s network without the federal agency’s authorization or knowledge, a CBP spokesperson told The Register.
However, the stolen photo data didn’t include any identifying information, and no passport or other travel document photos were compromised.
The breach first came to light on May 31.
While the CBP didn’t take the name of the subcontractor, The Register had reported on May 24 that a hacker by the name “Boris Bullet-Dodger” pilfered data from Perceptics, a company that provides license plate reader technology for the US-Mexico border, and offered the dump as a free download on the dark web.
It’s not immediately clear if the two incidents are connected, although the CBP went on to confirm none of the image data has been identified on the Dark Web or internet.
News of the breach comes as facial recognition tech has been the subject of a growing debate among civil liberty groups and lawmakers, who have raised concerns related to false matches and arrests while balancing the need for public safety.
It’s a known fact that CBP makes use of cameras and video recordings at airports and land border crossings. The captured images are used as part of a facial-recognition program designed to track the identity of people entering and exiting the US.
With databases containing personal identifying information becoming an alluring target for hackers and cybercriminals, the incident further underscores the need for careful evaluation of data collection practices by government agencies.