Photos of U.S travelers and license plate images were recently stolen from a database maintained by Customs and Border Protection (CBP), the agency confirmed on Monday.
In a statement to The Hill, a CBP spokesperson said it learned on May 21 that a "subcontractor ... had transferred copies of license plate images and traveler images collected by CBP to the subcontractor's company network."
"The subcontractor’s network was subsequently compromised by a malicious cyber-attack," the spokesperson said.
The spokesperson added the subcontractor had transferred the photos to its own network "in violation of CBP policies and without CBP’s authorization or knowledge."
The federal law enforcement agency maintains an expansive photo database that includes photos of people traveling into and out of the country. CBP, which is part of the Department of Homeland Security (DHS), has not named the subcontractor involved in the data breach.
"As of today, none of the image data has been identified on the Dark Web or internet," the border agency said in a statement. "CBP has alerted Members of Congress and is working closely with other law enforcement agencies and cybersecurity entities, and its own Office of Professional Responsibility to actively investigate the incident."
A CBP official said initial reports indicate the breach involved images of fewer than 100,000 people and were taken of travelers in vehicles entering and exiting the U.S. through a few specific lanes at a single port of entry over 1.5 months. No identifying information was included with the images and no passport or other travel document photographs were compromised. No images of airline passengers were involved, the official said.
CBP is investigating and monitoring for unauthorized disclosure of the material taken in the incident.
Perceptics, a company that sells license plate reader technology to the U.S. government, confirmed in May that it had been hacked. The admission came after hackers posted the internal data of the company to the dark web, according to an article from tech outlet Motherboard.
“We are aware of the breach and have notified our customers. We can’t comment any further because it is an ongoing legal investigation,” Casey Self, director of marketing for Perceptics, said in a statement to Motherboard at the time.
The company contracts with the U.S. government to sell license plate readers, driver cameras and under-vehicle cameras to place at borders between the U.S., Canada and Mexico.
Perceptics did not immediately respond to The Hill's request for comment.