The US Customs and Border Protection agency admitted today to a data breach that occurred at one of its subcontractors, during which a hacker stole license plate and facial recognition photos.
"CBP learned that a subcontractor, in violation of CBP policies and without CBP's authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor's company network," the agency said in a short press release.
"The subcontractor's network was subsequentially compromised by a malicious cyber-attack," it added.
The CBP blamed the subcontractor for the breach, indicating that the company was not authorized to transfer traveler's photos to its network.
The CBP maintains an image database of all travelers' entering the US. The database includes passport headshots, but also images acquired from license plate readers, for all cars crossing a US border. It's these photos database that the hacker gained access to.
The agency said it learned of the breach on May 31, when it also contacted law enforcement and alerted members of Congress.
The CBP also took steps to remove travelers' data from the subcontractor's network, it said.
The agency didn't name the contractor by name, but The Register reported on May 24 that a hacker named "Boris Bullet-Dodger" breached Perceptics, a company that provides license plate reader technology for the US-Mexico border, and then published the information online.
It is unclear if the CBP report refers to the same incident, or a different one.
"As of today, none of the [stolen] image data has been identified on the Dark Web or internet," CBP said.
"CBP has removed from service all equipment related to the breach and is closely monitoring all CBP work by the subcontractor."
Despite the hacker having access to the subcontractor's systems, the CBP said the hacker didn't manage to escalate access to the CBP's internal network.