Hackers have stolen thousands of photos of travelers and their license plates from a subcontractor of Customs and Border Protection, the agency announced on Monday. A source told the Washington Post that the data was collected at a particular port of entry on the Canadian border.

CBP declined to identify the subcontractor, but the agency sent the Washington Post a document with the title "CBP Perceptics Public Statement." Perceptics sells license plate reader technology, and the Register reported last month that the company's network had been hacked.

CBP says it learned of the breach on May 31, and the organization stated that its own network was not compromised. The agency says that the subcontractor violated agency policies when it copied the photos to its own network, making them more vulnerable to hacking.

"CBP takes its privacy and cybersecurity responsibilities very seriously and demands all contractors to do the same," the agency said.

The breach could have been worse. A law enforcement source told Buzzfeed that fewer than 100,000 people had their information leaked and that "no other identifying information was included with the photos and no passport or other travel document photos were compromised." For comparison, the 2015 hack of the Office of Personnel management affected more than 20 million people and leaked a wide range of personal information.

The breach highlights one of the inherent risks created by routine collection of peoples' photos. Some airlines have begun using facial recognition technology instead of conventional tickets for international flights. (To be clear, last month's data breach was reportedly from a land border crossing, not an airport.) The change may make it slightly more convenient to board an airplane and may also aid with immigration enforcement. But it also means that airlines are amassing vast databases of peoples' faces—databases that could fall into the hands of hackers in the future.