A federal subcontractor for U.S. Customs and Border Protection suffered a cyberattack that likely compromised tens of thousands of photos of travelers’ faces and their vehicles’ license plates, the Wall Street Journal reports. The attack prompted fresh criticism of how the government protects the reams of personal data it collects. An agency spokesman said CBP learned last month that the subcontractor, in violation of security policies, had transferred copies of license-plate images and traveler images that had been collected by CBP. “The subcontractor’s network was subsequently compromised by a malicious cyberattack,” the spokesman said. “No CBP systems were compromised.”
The identity of the subcontractor wasn’t disclosed. Privacy advocates and some Democratic lawmakers said the news illustrated longstanding concerns about the CBP program, which uses cameras at airports and land-border crossings to capture images of travelers and vehicles. Those images are stored in an expanding facial-recognition program intended to track people who enter or leave the U.S. “This breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travelers, including license plate information and social media identifiers,” said Neema Guliani of the American Civil Liberties Union “This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices.” Initial findings indicated that fewer than 100,000 people had their images compromised. The stolen photos were of travelers in vehicles entering and leaving the U.S. via specific lanes at one border point of entry over a month-and-a-half period. No other identifying information or travel document images were compromised.