The federal agency said license plate images also were exposed in the attack.
A CBP spokesperson told Fox News that initial reports indicated the traveler images involved less than 100,000 people in vehicles leaving and entering the U.S. through one land border port of entry over a period of a month and a half. The spokesperson would not elaborate as to exactly where that port of entry was located but added that no other identifying information was available.
In a statement sent to Fox News on Monday, a CBP spokesperson said, “On May 31, 2019, CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network.”
The spokesperson continued, “The subcontractor’s network was subsequently compromised by a malicious cyber-attack,” adding that CBP networks and databases were not compromised. The spokesperson did not identify the subcontractor.
No passport or travel document pictures were compromised in the data breach and no images of airline passengers were involved, the spokesperson added.
The agency “alerted members of Congress,” according to the statement, which added that CBP was working closely with other law enforcement agencies and cybersecurity entities, as well as its own Office of Professional Responsibility, to investigate the incident.
“CBP will unwaveringly work with all partners to determine the extent of the breach and the appropriate response,” the spokesperson said.
“Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract,” according to the statement, which added that none of the data has been identified on the internet or Dark Web to date.
“CBP has removed from service all equipment related to the breach,” the spokesperson said, adding that the agency was monitoring all CBP work performed by the subcontractor.
“CBP requires that all contractors and service providers maintain appropriate data integrity and cybersecurity controls and follow all incident response notification and remediation procedures,” the statement said. “CBP takes its privacy and cybersecurity responsibilities very seriously and demands all contractors to do the same.”
The spokesperson told Fox News that CBP will take additional appropriate actions once the investigation is complete and will continue to look out for any unauthorized leaks of information.
The data breach came as the agency has moved to expand its biometric data collection through facial recognition exit technology at airports.
“This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices,” Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union, told Fox News.
“The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place.”