Customs and Border Protection officials on Monday said personal information the agency collected on travelers was exposed in “a malicious cyber-attack.”
The breach occurred after one of CBP’s subcontractors illegally transferred images of travelers and license plate photos collected by the agency to its internal networks, which were then compromised by the attack, according to a CBP spokesperson. The agency declined to name the subcontractor that was compromised.
The New York Times reported somewhere between 10,000 and 100,000 images were stolen in the breach. However, the agency declined to comment on how many images were leaked and whether the travelers involved in the breach were U.S. citizens.
As of June 10, the agency said none of the images had been identified “on the Dark Web or internet.” The agency said officials were first made aware of the breach on May 31.
According to the spokesperson, early evidence indicated the subcontractor had violated the security and privacy protocols outlined in the agreement. None of the agency’s internal systems were compromised, they said.
“CBP has removed from service all equipment related to the breach and is closely monitoring all CBP work by the subcontractor,” the spokesperson said in a statement. The agency has already alerted Congress, other law enforcement agencies and cybersecurity organizations about the breach, and they are investigating the incident, according to the spokesperson.
Though the agency wouldn’t name the breached contractor, the Washington Post reported an early copy of CBP’s public statement included the name “Perceptics” in the title. Perceptics, a Tennessee-based company that’s worked with CBP since 1982, had been hacked last month, according to Motherboard. The company’s license plate readers are reportedly deployed at every checkpoint along the U.S.-Mexico border.
In recent years, CBP has expanded its use of biometric technology to keep tabs on the people entering and exiting the country. The agency currently has facial recognition systems deployed in some capacity at 16 airports and three border checkpoints around the country, and it plans to ramp up those efforts significantly in the years ahead.
The agency didn’t respond to questions about whether the breach involved any images collected through its facial recognition program.
CBP officials have said the agency’s use of biometrics falls short of the dystopian applications feared by many of the tech’s critics, but that hasn’t stopped lawmakers and legal experts from questioning the effectiveness and constitutionality of such programs. Last month, House Oversight Committee members from both parties called for more restrictions on federal law enforcement’s use of facial recognition.
“Government use of biometric and personal identifiable information can be valuable tools only if utilized properly,” House Homeland Security Committee Chairman Bennie Thompson said in a statement on the recent data breach. “Unfortunately, this is the second major privacy breach at DHS this year,” he said, referring to a leak that exposed information on 2.3 million disaster survivorscollected by the Federal Emergency Management Agency.
“We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public,” he continued. “I intend to hold hearings next month on Homeland Security’s use of biometric information.”