U.S. Customs and Border Protection (CBP) released a statement Monday confirming that photos of travelers and the license plates of their vehicles were compromised in a data breach of a CBP subcontractor.

“CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” the agency stated.

“Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract,” the statement said.

CBP said the compromised trove of images includes “fewer than 100,000 people.” The images were captured at a single unspecified land border over a period of about a month and a half.

“No passport or other travel document photographs were compromised and no images of airline passengers from the air entry/exit process were involved,” a CBP spokesperson said.

The statement did not name the subcontractor involved in the breach, but TechCrunch noted a government contractor company named Perceptics was recently involved in a hacking incident that saw some of its data dumped onto the dark web. Perceptics bills itself as the “sole provider” of license plate readers to border stations and the company’s name appeared in the title of the Microsoft Word document containing the CBP statement to the media.

A CBP spokeswoman was “unable to confirm” whether Perceptics was the subcontractor targeted by the breach when asked by the Washington Post.

CBP stated that none of the image data stolen in the breach has been found on either the normal Internet or the dark web. However, several media organizations claim to have discovered traveler data posted on the dark web within hours of the breach occurring in late May. Those data troves were hundreds of gigabytes in size and included sensitive financial and personal information in addition to images and location data.

An unnamed U.S. official told the Washington Post the breach is seen as a “major incident” inside CBP and did indeed involve Perceptics, which was using the data to improve its software for matching license plates with the faces of drivers and passengers as cars move through border checkpoints.

“CBP has alerted members of Congress and is working closely with other law enforcement agencies and cybersecurity entities, and its own Office of Professional Responsibility to actively investigate the incident,” the agency said.

CNN noted that CBP has been expanding its collection of biometric data via airport scanners and has met with privacy advocates to discuss their concerns. One of the major biometric initiatives involves using facial recognition technology to replace boarding passes and speed the process of boarding airplanes, beginning with international flights.

“This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices. The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place,” the American Civil Liberties Union (ACLU) said.

Sen. Ron Wyden (D-OR) expressed similar concerns to the Washington Post, criticizing CBP and its contractors for failing to protect sensitive data and failing to inform affected individuals immediately after the breach was discovered at the end of May.

“Anyone whose information was compromised should be notified by Customs, and the government needs to explain exactly how it intends to prevent this kind of breach from happening in the future,” Wyden said.

Hearings on biometrics are scheduled for next month in the House of Representatives, according to House Homeland Security chair Bennie Thompson (D-MS).

“Government use of biometric and personal identifiable information can be valuable tools only if utilized properly. Unfortunately, this is the second major privacy breach at DHS this year. We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public,” said Thompson.