US Customs and Border Protection (CBP) has suffered a data breach involving hackers getting access to photos of travelers and license plate images.

The attackers struck by targeting a third-party subcontractor, which had been storing the sensitive files over its own network. "The subcontractor's network was subsequently compromised by a malicious cyber-attack. No CBP systems were compromised," the agency said in a statement on Monday. The Washington Post was the first to report the news.

Many details of the attack remain unknown, such as how many people may have had their data exposed. Customs and Border Protection has only said that the agency's "air operations" were unaffected by the breach. So presumably, no facial recognition images of passengers taken at airports were looted.

It also isn't clear why the unnamed subcontractor was storing the data, but the CBP only learned of it late last month. "Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract," the agency added.

In response, Customs and Border Protection has been removing all the equipment related to breach and monitoring agency work done by the unnamed subcontractor. "As of today, none of the [stolen] image data has been identified on the Dark Web or internet," the agency added. "CBP has alerted Members of Congress and is working closely with other law enforcement agencies and cybersecurity entities, and its own Office of Professional Responsibility to actively investigate the incident."

Although no CBP-controlled network was breached in the hack, the incident underscores the security risks of a government agency collecting the personal data on so many people: it could one day leak, the American Civil Liberties Union said.

"This breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travelers, including license plate information and social media identifiers," said ACLU legislative counsel Neema Singh Guliani in a statement.

"The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place," she added.

This article originally appeared on PCMag.com.