Read: Who owns your face?

CBP claims it has already conducted a search, but hasn’t found any of the stolen images on the dark web, where hackers sometimes post stolen information for sale. In its statement to The Atlantic, CBP said it’s working with law enforcement to continue the search and survey the full extent of the damage. It hasn’t yet commented on the scope of the breach or offered specifics on the data that were stolen. Perceptics did not immediately respond to a request for comment.

“I would be cautious about assuming this data breach contains only photo data,” said Chad Loder, the CEO of Habitu8, a cybersecurity firm that trains other companies on security awareness. The full scope of the breach may be much larger than what CBP revealed in its original statement, he said. In recent years, CBP has asked travelers for fingerprints, facial data, and, recently, even social-media accounts. “If CBP’s contractor was targeted specifically, it’s unlikely that the attacker would have stopped with just photo data,” Loder told me.

It’s not just the breadth of data federal agencies collect that privacy experts find worrying; it’s also the number of people exposed. For example, CBP reported in April that it has used biometric data to catch 7,000 travelers who overstayed their visa so far. Now consider that the Department of Homeland Security estimates that only 1.47 percent of visa holders overstay their limits, and that only a small minority of travelers in the United States are visa holders. In order to come up with 7,000 needles in the haystack, CBP would need to have surveilled millions more—people who are under no suspicion of committing any crime.

Read: Facial-recognition software might have a racial-bias problem

By 2023, the Department of Homeland Security aims to use facial recognition on 97 percent of departing air passengers. There are, to this day, no laws preventing it from doing so.

The breach comes only two weeks after privacy scholars and activists testified for hours on the dangers of facial-recognition technology before the House Committee on Oversight and Reform. During the hearing, some panelists called for a nationwide ban on the technology, citing privacy concerns and the risk of a widespread data breach. While divided on whether to step up regulation or fully ban the technology, the experts agreed that the time for reform is now.

The more information the government collects, the more attractive that information is to bad actors, and the more people have to be involved in storing and securing it—all of whom have their own associated risk vectors. At the scale that DHS hopes to achieve, that means any vulnerability could prove disastrous. Andrew Ferguson, a law professor at the University of the District of Columbia who testified at the May hearing, told me that accuracy issues compromise the reliability of facial recognition, and current legislation is far too weak to prevent misuse. “The technology is not ready for prime time,” he said. “And as was just demonstrated with the hack, the security systems are not ready for prime time either.”

We want to hear what you think about this article. Submit a letter to the editor or write to letters@theatlantic.com.