Tens of thousands of photos bearing the faces of travelers and license plates were leaked in a cyberattack in late May.
The Customs and Border Protection (CBP) described the incident as a “malicious cyber-attack” that took place after the photos were transferred to the network of an unnamed subcontractor, a process unbeknownst to CBP, according to a CBP statement reported by BuzzFeed News on Monday.
A total number of compromised photos was not released.
“On May 31, 2019, CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network. The subcontractor’s network was subsequently compromised by a malicious cyber-attack. No CBP systems were compromised,” the statement said.
Breaking: U.S. Customs and Border Protection has confirmed a subcontractor had a data breach, exposing traveler images and license plate photos. https://t.co/ujzitkWESp
— TechCrunch (@TechCrunch) June 10, 2019
A preliminary investigation revealed “the subcontractor violated mandatory security and privacy protocols outlined in their contract,” CBP noted in the statement.
CBP said it has been in communication with Congress, and law enforcement and cybersecurity agencies to investigate the cyberattack. “CBP will unwaveringly work with all partners to determine the extent of the breach and the appropriate response,” the agency promised.
The hacked photos have not appeared online or on the dark web so far, the CBP said.
“CBP has removed from service all equipment related to the breach and is closely monitoring all CBP work by the subcontractor,” the agency said in the statement.
The photos were captured by the CBP during a six-week-long project at a single port of entry where less than 100,000 vehicle travelers passing in and out of the U.S. were photographed.
The process is part of the “biometric entry-exit system” that the agency is rolling out in an aim to capture the photos of every American and international airport traveler and apply facial recognition technology.
The project will be implemented in the top 20 airports in the U.S. by 2021.
ah and let’s not forget that DHS & CBP are scrambling to implement their “biometric entry-exit system,” with the goal of using facial recognition on more than 100 million passengers traveling on international flights out of the US in as little as 2 years https://t.co/EFElq77VN3 pic.twitter.com/ucpVEWV6Gg
— Davey Alba (@daveyalba) June 10, 2019
It has drawn criticism from civil rights advocates who say the project is a violation of privacy.
“This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices. The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place,” Neema Singh Guliani, a lawyer for the American Civil Liberties Union, said in a statement reported by BuzzFeed.
“Government use of biometric and personal identifiable information can be valuable tools only if utilized properly. Unfortunately, this is the second major privacy breach at DHS this year,” Rep. Bennie Thompson, chairman of the House Homeland Security Committee, told Buzzfeed.
“We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public,” he added.