In its rush to gather biometric data from travelers in the US, Customs and Border Protection has apparently neglected basic safeguards to protect it. One of its subcontractors was recently breached, leaving photos of travelers and license plates in the hands of hackers.

The Washington Post first reported the incident, whose full scope remains unclear. But the hack has raised sharp questions about the agency’s already controversial push for biometrics. Facial recognition scans have become more routine at airports; CBP wants it in the top 20 US airports by 2021.

“The CBP program should be suspended pending an investigation,” says Jeramie Scott, senior counsel at the Electronic Privacy Information Center. “The agency simply should not collect this sensitive personal information if it cannot safeguard it.”

The hack

CBP declined to name the breached subcontractor to the Post, but apparently sent the news outlet a Microsoft Word document titled “CBP Perceptics Public Statement.” The Word file strongly suggests that Tennessee-based Perceptics, which makes license plate readers and has a decades-long relationship with CBP, is the vendor in question.

That makes even more sense when you consider that a hacker calling themselves “Boris Bullet-Dodger” dumped hundreds of gigabytes of data stolen from Perceptics on the dark web in May. It’s unclear if that breach, first reported by The Register, is the same as the one CBP copped to Monday. The former became public on May 23; CBP says it found out that its database had been compromised over a week later.

“On May 31, 2019, CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” the agency said in a statement. “The subcontractor’s network was subsequently compromised by a malicious cyberattack. No CBP systems were compromised.”

Perceptics did not respond to a request for comment. But regardless of which specific vendor the breach stems from, the upshot is the same.

Who’s affected?

CBP has given precious little information about how many people were impacted, a troubling lack of disclosure. It’s not even clear exactly what type of data—and whether it extends to biometrics beyond photos—the database contained. While CBP says "none of the image data has been identified on the Dark Web or internet,” the dump of hacked Perceptics data just a few short weeks ago doesn’t give much confidence that this breach is contained, or will stay that way.

In short, the only people who know the full scope of this breach are CBP, an unnamed subcontractor, and whoever pulled off the hack.

How serious is this?

Without more clarity on the contents of the database in question, it’s hard to say for sure in terms of the impact on an individual level. Probably pretty bad, though! And on principle, it’s close to a worst-case scenario.

That CBP itself wasn’t directly hacked doesn’t make the situation any better. In fact, it arguably makes things worse; the agency let a third party access incredibly sensitive data, and didn’t ensure that appropriate security measures were in place. That it treats an image database of private citizens with the same lack of care that it does a Microsoft Word doc should set off very loud alarm bells.

“CBP requires that all contractors and service providers maintain appropriate data integrity and cybersecurity controls and follow all incident response notification and remediation procedures,” the agency said in its statement. “CBP takes its privacy and cybersecurity responsibilities very seriously and demands all contractors to do the same.” It’s a fine sentiment; the facts of the case belie it.