A “malicious cyberattack” on a U.S. Customs and Border Protection subcontractor compromised photographs of travelers going into and out of the country, along with license plates, the agency said Monday.
How many images were compromised and where and when they were collected is unclear, but Customers and Border Protection has known about the attack since May 31. According to agency, a subcontractor transferred the images to its network “in violation of CBP policies and without CBP’s authorization or knowledge.”
Officials claim that the stolen information hasn’t shown up on the internet or dark web. The Register found files from CBP contractor Perceptics , which makes license plate readers, on the dark web last month.
CBP hasn’t confirmed which of its contractors was attacked, so it’s not clear if the two incidents are connected.
The breach drew condemnation from privacy advocates, including the Electronic Frontier Foundation (EEF).
“EFF is disappointed by reports of the theft from CBP of photos of travelers’ faces and license plates,” said the organization’s senior staff attorney Adam Schwartz. “The inherent risk of such theft is among the reasons why the government should not be amassing this sensitive information in the first place.”
When you arrive in the U.S. after an international flight, your stop at customs may include an agent snapping a photo of you. Using facial recognition technology, the agent can then match it with a “ biometric template.” That template is a string of numbers representing, say, your passport photo.
“These templates are irreversible and cannot be reverse-engineered by anyone outside of CBP to reconstruct the photo,” according to the CBP.
Customers and Border Protection says it “ discards” photos of U.S. citizens and exempt aliens within 12 hours of verifying their identity. It can take 14 days to delete other travelers’ photographs. According to agency rules, airports and other partners aren’t allowed to keep any traveler photos they take for identification purposes.
The breach comes at a time when some airlines are planning on using facial recognition not just at customs but for flight check-in and baggage drop , The Washington Post reports.
It’s not clear exactly how a hacker could use a photo of your face, there are some protections if your license plate information is stolen. While the Driver’s Privacy Protection Act makes it difficult to track down someone’s personal information just from a license plate, some privacy advocates have raised concerns about the amount of data automated plate readers suck up.
This is a developing story, and we’ll update it as we learn more information.