The US Customs and Border Protection service said Monday that images of travelers collected at points of entry into the US were stolen in a malicious cyber attack.
The federal agency revealed that license plate images were also exposed in a hack that compromised a subcontractor’s computer network.
It did not specify how many images may have been copied and said none of the data has been identified on the internet or Dark Web. However, the New York Times reported ‘tens of thousands’ of images had been taken.
The images of travelers were captured as part of a facial-recognition program.
A Customs spokesman told the Associated Press that initial reports indicated that the images involved fewer than 100,000 people and the photographs were taken of travelers in vehicles entering and exiting the United States at a single land-border port of entry over one and a half months.
CBP did not name the contractor. It said it learned of the data breach on May 31 and that the subcontractor had transferred copies of the images to its company network in violation of government policies and without the agency’s authorization.
But the announcement comes nearly three weeks after the Register reported CBP’s license-plate scanning tech maker, Perceptics, was hacked by cyber attackers.
The UK-based tech media outlet said someone using the pseudonym ‘Boris Bullet-Dodger’ notified them about the hack and gave a reporter a list of files taken from Perceptics’ corporate network.
Perceptics, the Tennessee-based imaging software company, confirmed it was aware of the hack in an email to the Register.
The Washington Post said its reporters received a Microsoft Word document Monday that included the name ‘Perceptics’ in the title: ‘CBP Perceptics Public Statement.’
Perceptics did not immediately respond to an email seeking comment.
In a 2017 privacy document, the Department of Homeland Security said automated license-plate readers are used for ‘detecting, identifying, apprehending, and removing individuals illegally entering the United States at and between ports of entry or otherwise violating U.S. law.’
Recorded license plates are checked in real time against DHS databases to which 13 federal agencies have access.
CBP said it has alerted members of Congress about the data breach.
The chairman of the House Homeland Security Committee, Rep. Bennie Thompson (D-Miss), noted with alarm that this is the ‘second major privacy breach at DHS this year.’
‘We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public,’ he said in a statement reported by the Hill.
In March, the Homeland Security Department’s inspector general announced that another of its subdivisions, the Federal Emergency Management Agency, had wrongly released to a contractor the personal information of 2.3 million survivors of devastating 2017 hurricanes and wildfires, potentially exposing those affected to identity fraud and theft, the AP reported.
Thompson said he planned hearings next month on the department’s use of biometric information, which is on the rise, affects millions and is occurring with little congressional oversight.
A US official told the Washington Post that the CBP was treating the breach as a ‘major incident.’
On its website, the agency says that it routinely uses cameras and video recordings of people and vehicles seen at land border crossings and airports to form a growing agency facial-recognition program designed to track the identity of people entering and leaving the country.
Border Patrol personnel process an average of more than a million vehicle passengers and pedestrians who cross the border daily.
That includes more than 690,000 incoming land travelers.