A US Customs and Border Protection (CBP) data breach has exposed travelers’ photos and license plate information, renewing concerns about expanded facial recognition and federal surveillance systems.

A “malicious cyber-attack” hit a CBP “subcontractor” that had stored “copies of license plate images and traveler images collected by CBP”, the agency said in a statement on Monday. CBP said “none of the image data has been identified on the dark web or internet”, but declined to answer questions about the scope of the attack and stolen data, and refused to name the subcontractor.

The US government maintains vast databases of travelers’ personal information, including passport and visa photos, and airlines have also increasingly used facial recognition technology, sharing biometric data with federal agencies that store the sensitive information. CBP has been expanding its facial-scanning systems to international airports across the country since Donald Trump’s 2017 executive order expediting the deployment of this surveillance.

“This breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travelers, including license plate information and social media identifiers,” Neema Singh Guliani, American Civil Liberties Union senior legislative counsel, said in a statement. “This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices.”

The best way to avoid these kinds of breaches, Guliani added, “is not to collect and retain such data in the first place”.

A CBP spokesperson declined to comment on the number of people affected and the kind of information compromised, though a government official told the New York Times no more than 100,000 people had their data stolen. The agency sought to cast blame on the subcontractor, saying the unnamed firm violated CBP policies when it “transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network”.

CBP said it discovered the issue on 31 May, and that the subcontractor had transferred the data “without CBP’s authorization or knowledge” in violation of “mandatory security and privacy protocols outlined in their contract”. The agency has since removed all equipment related to the breach and alerted Congress and other law enforcement agencies to the incident.

“CBP will unwaveringly work with all partners to determine the extent of the breach and the appropriate response,” the statement said, adding that no CBP systems were compromised.

Privacy activists have been sounding the alarm about the potential for data to be misused as law enforcement agencies, including US immigration authorities, have escalated surveillance of license plate data, travelers’ social media accounts and other private information.

Last week, a coalition of activist groups launched a new tool meant to help travelers avoid invasive facial recognition technologies at airports.

“Even if you trust the government with your biometric information, which you shouldn’t, once our faces are scanned and stored in a database, they can be stolen and used for nefarious purposes,” said Jelani Drew, a campaigner at Fight for the Future, one of the groups behind the new tool. “This technology is sold to companies under the lie that [it] makes us more safe, but in fact, it makes us less safe.”

In May, San Francisco lawmakers voted to make the city the first in the US to ban police and other government agencies from using facial recognition technology. The state of California and other municipalities across the country are now considering similar proposals.