US Customs and Border Protection announced Monday photos of travelers and license plates were recently compromised in a data breach.
In a statement, CBP said it learned on May 31 that a subcontractor “had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network. The subcontractor’s network was subsequently compromised by a malicious cyber-attack.”
The agency has notified Congress and is working with law enforcement and cybersecurity entities to “determine the extent of the breach and the appropriate response,” according to the statement.
The images involve fewer than 100,000 people, according to initial reports, a CBP spokesperson said. The photographs were taken of travelers in vehicles entering and exiting the United States through a few specific lanes at a single land border port over one and a half months, said CBP.
“No other identifying information was included with the images,” said the spokesperson.
The photographs did not involve airline passengers, according to CBP.
The Washington Post first reported on the data breach.
CBP said its own systems had not been compromised, and the agency writes that, as of Monday, “none of the image data has been identified on the Dark Web or internet.”
The subcontractor “violated mandatory security and privacy protocols outlined in their contract,” according to CBP, which said it was unaware of the image copies transfers.
“CBP takes its privacy and cybersecurity responsibilities very seriously,” the statement reads, “and demands all contractors to do the same.”
Although the breach did not involve airline travel, it comes as CBP moves to expand its biometric data collection through facial recognition exit technology at airports, a move that has drawn scrutiny and concern from privacy advocates.
CBP has held at least a couple of meetings with privacy advocacy groups to discuss CBP’s biometric program.
Last fall, airport and federal officials showed off facial recognition technology, designed to replace the paper boarding pass and speed up the international flight boarding process.
John Wagner, the deputy executive assistant commissioner at CBP, said at the time that the technology is in response to a mandate from Congress that the Department of Homeland Security develop a system for tracking foreigners’ arrivals and departures from the United States.
“Everybody knows how to pose for a picture,” said Kevin McAleenan, who was then serving as CBP commissioner and now serves as the acting secretary of homeland security.
Privacy advocates pushed back on the move last year and are again arguing for a slow-down of CBP’s information collection efforts.
“This breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travelers, including license plate information and social media identifiers,” said American Civil Liberties Union spokeswoman Neema Singh Guliani in a statement.
“This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices,” Singh Guliani added. “The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place.”
House Homeland Security Chairman Bennie Thompson said he plans to hold hearings next month on the agency’s use of biometric information.
“Government use of biometric and personal identifiable information can be valuable tools only if utilized properly. … We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public,” the Mississippi Democrat said in a statement.
This story has been updated.
CNN’s Gregory Wallace contributed to this report.