WASHINGTON — Tens of thousands of images of travelers and license plates stored by the Customs and Border Protection agency have been stolen in a cyberattack, officials said Monday, prompting renewed questions about how the federal government secures and shares personal data.
A Customs and Border Protection official said the agency learned May 31 that a federal subcontractor transferred copies of the images to the subcontractor’s network, which the agency said was done without its knowledge and in violation of the contract. The subcontractor’s network was then hacked.
A U.S. government official said no more than 100,000 people had their information compromised by the attack.
If that number holds, it would be far smaller than a 2014 breach at the Office of Personnel Management, which lost roughly 22 million security clearance files for government officials and contractors. In that case, China was later identified as the nation that had pulled off what remains the largest known theft of U.S. government data.
“As of today, none of the image data has been identified on the dark web or internet,” the Customs and Border Protection agency said in a statement.
That may not be surprising. If the images were stolen for intelligence purposes, they would not be expected to show up for sale. The Office of Personnel Management data has never been surfaced publicly.
The customs and border agency, a part of the Homeland Security Department, collects passport and visa photographs for a database used for a facial recognition program at airports that department officials say is aimed at expediting movement among travelers. The Customs and Border Protection agency also captures images of the license plates on vehicles entering and exiting the ports of entry along the border.
Neema Singh Guliani, the senior legislative counsel for the American Civil Liberties Union, said the breach exposed the risks of the facial recognition program.
“This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices,” Guliani said. “The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place.” — (The New York Times)