U.S. Customs and Border Protection said Monday that one of its subcontractors had been breached in a “malicious cyberattack,” compromising an unspecified number of images of travelers and license plates.
The hackers struck after the unnamed subcontractor transferred copies of the images collected by CBP to the subcontractor’s network, the Department of Homeland Security agency said in a statement.
“Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract,” a CBP spokesperson said, adding that the breached data had yet to show up on the dark web or public internet.
In an updated statement Monday night, a CBP official said the compromised traveler images appeared to involve less than 100,000 people. “[P]hotographs were taken of travelers in vehicles entering and exiting the United States through a few specific lanes at a single land border Port of Entry over a 1.5-month period,” the official said. “No other identifying information was included with the images.”
CBP, which learned about the hack on May 31, has told members of Congress about the breach and is working with law enforcement agencies and “cybersecurity entities” to investigate, the spokesperson said.
While CBP did not identify the hacked subcontractor, the statement it emailed to The Washington Post included “Perceptics” in the title. Tennessee-based Perceptics, which provides license-plate-scanning services for CBP, was the victim of a hack and had its data posted to the dark web, The Register reported last month. It is unclear if that is the same breach announced by CBP on Monday.
Perceptics could not be immediately reached for comment.
As U.S. officials have employed a range of technologies to track people attempting to cross the U.S.-Mexico border, concerns around the privacy and security of the data collected have grown. A report last year from DHS’s inspector general found that IT systems used by the CBP to share data gathered by drones are “at increased risk of compromise by trusted insiders and external sources” because of security shortcomings.
Democrats in Congress demanded to know how CBP would better protect traveler data.
Sen. Ron Wyden, D-Ore., called on the CBP to notify anyone whose information was compromised in the breach, and said the government “needs to explain exactly how it intends to prevent this kind of breach from happening in the future.”
“If the government collects sensitive information about Americans, it is responsible for protecting it – and that’s just as true if it contracts with a private company,” Wyden said.
Rep. Bonnie Thompson, D-Miss., chairman of the House Homeland Security Committee, said he planned to hold hearings next month on DHS’s use of biometric information. “We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public,” Thompson said.