US Customs and Border Protection (CBP) has suffered a data breach involving hackers getting access to photos of travelers as their cars drove through a port of entry.
The attackers targeted a third-party subcontractor, which had been storing the sensitive files over its own network. "The subcontractor's network was subsequently compromised by a malicious cyber-attack. No CBP systems were compromised," the agency said in a statement on Monday. The Washington Post was the first to report the news.
According to CBP, fewer than 100,000 people had their photos exposed in the breach, which also involved license plate images of the cars they traveled in. However, no passport details, travel documents or facial recognition images taken at airports were compromised in the hack. And aside from the license plates, the exposed photos in the breach included no other identifying information.
It isn't clear why the unnamed subcontractor was storing the data, but the CBP only learned of it late last month. "Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract," the agency added.
In response to the hack, Customs and Border Protection has been removing all the equipment related to the breach and monitoring all agency work done by the unnamed subcontractor. "CBP has alerted Members of Congress and is working closely with other law enforcement agencies and cybersecurity entities, and its own Office of Professional Responsibility to actively investigate the incident," the agency said.
CBP also claims the stolen data has not been found on the internet or on the Dark Web. However, last month a hacker reportedly uploaded a stolen database taken from Tennessee-based Perceptics, a company that supplies license plate reading technology to Customs and Border Protection. According to The Register, the uploaded database included files of locations, ZIP codes, and images that appeared to be license plate captures.
So far, CBP has not commented on whether today's reported breach is related to Perceptics. But The Washington Post is reporting the hack did involve a database at Tennessee-based company, which was allegedly attempting to match a car's license plate with the occupants traveling inside the vehicle.
Although no CBP-controlled network was breached in the hack, the incident underscores the security risks of a government agency collecting the personal data on so many people: it could one day leak, the American Civil Liberties Union said.
"This breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travelers, including license plate information and social media identifiers," said ACLU legislative counsel Neema Singh Guliani in a statement.
"The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place," she added.
Editor's Note: This story has been updated with more information from CBP.