The cyberattack comes amid the ongoing rollout of CBP's “biometric entry-exit system,” the government initiative to biometrically verify the identities of all travelers crossing US borders. As BuzzFeed News reported earlier this year , CBP is scrambling to implement the initiative with the goal of using facial recognition technology on “100 percent of all international passengers,” including American citizens, in the top 20 US airports by 2021. And it is doing so in the absence of proper vetting, regulatory safeguards, and what privacy advocates say is in defiance of the law, BuzzFeed News found.

No other identifying information was included with the photos and no passport or other travel document photos were compromised, the official said. Images of airline passengers from the air entry and exit process were also not involved.

The compromised photos were taken of travelers in vehicles coming in and out of the US through specific lanes at a single Port of Entry over a one and a half months period. Fewer than 100,000 people had their information compromised by the attack, according to a law enforcement official.

The database of identifying traveler photos and license plate images had been transferred to a CBP subcontractor's network without the federal agency's authorization or knowledge, CBP explained. The subcontractor's network was then hacked, though CBP said its own systems had not been compromised.

A US Customs and Border Protection subcontractor suffered a data breach that exposed the photos of tens of thousands of travelers coming in and out of the United States, the agency revealed Monday, in what it described as a "malicious cyber-attack."

“There should never have been the ability to download a database like this off of government servers.”

In May, The Register reported that Perceptics, the maker of vehicle license plate readers used by the US government and cities to identify and track citizens, was hacked, and its files were dumped online. CBP did not respond to questions from BuzzFeed News asking whether the breach the US agency announced today and the Perceptics hack are related.

Perceptics did not immediately respond to a request for comment.

"This breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travelers, including license plate information and social media identifiers," Neema Singh Guliani, a lawyer for the American Civil Liberties Union, said in a statement. "This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices. The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place."

“One very good reason that databases that are law enforcement– and privacy-sensitive, as this one is, should be wholly governmental and not subject to contractors or subcontractors,” said Theresa Brown, a former CBP adviser who now heads immigration policy at the Bipartisan Policy Center. “There should never have been the ability to download a database like this off of government servers.”



In its announcement Monday, CBP did not mention the name of the subcontractor, how many people have been affected by the breach, and whether the breach affected primarily US citizens or noncitizens. Congressional lawmakers and staffers were notified of the breach on Saturday.

Bennie Thompson, chairman of the House Homeland Security Committee, said he would hold hearings on how DHS uses biometric information next month.

“Government use of biometric and personal identifiable information can be valuable tools only if utilized properly. Unfortunately, this is the second major privacy breach at DHS this year," he said. "We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public."

Read CBP's full statement below: