WASHINGTON • US Customs and Border Protection (CBP) officials said on Monday that photos of travellers were compromised as part of a "malicious cyber attack", raising concerns over how federal officials' expanding surveillance efforts could imperil Americans' privacy.
Customs officials said that the images, which included photos of people's faces and licence plates, had been compromised as part of an attack on a federal subcontractor.
The CBP makes extensive use of cameras and video recordings at airports and land border crossings, where images of vehicles are captured. Those images are used as part of a growing agency facial-recognition programme designed to track the identity of people entering and exiting the United States.
The CBP said airport operations were not affected by the breach, but it declined to say how many people might have had their images stolen.
The agency processes more than a million passengers and pedestrians crossing the US border on an average day, including more than 690,000 incoming land travellers.
A CBP statement said that the agency learnt of the breach on May 31 and that none of the image data had been identified "on the Dark Web or Internet".
But reporters at The Register, a British technology news website, reported late last month that a large haul of breached data from the firm Perceptics was being offered as a free download on the Dark Web.
The US Customs and Border Protection (CBP) said copies of "licence plate images and traveller images collected by CBP" had been transferred to the subcontractor's company network, violating the agency's security and privacy rules. The subcontractor's network was then attacked and breached. No CBP systems were compromised, the agency said.
CBP spokesman Jackie Wren said she was "unable to confirm" whether Perceptics was the source of the breach. Perceptics representatives did not immediately respond to requests for comment.
The breach raised alarms in Congress, where lawmakers have questioned whether the government's expanded surveillance measures could threaten constitutional rights and expose millions of innocent people to identity theft.
"If the government collects sensitive information about Americans, it is responsible for protecting it - and that's just as true if it contracts with a private company," Oregon Senator Ron Wyden said in a statement to The Washington Post.
Civil-rights and privacy advocates also called the theft of the information a sign that the government's growing database of identifying imagery had become an alluring target for hackers and cyber criminals.
Ms Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union, said: "This breach comes just as CBP seeks to expand its massive face-recognition apparatus and collection of sensitive information from travellers, including licence plate information and social media identifiers.
"This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency's data practices. The best way to avoid breaches of sensitive personal data is not to collect and retain it in the first place."
The CBP said copies of "licence plate images and traveller images collected by CBP" had been transferred to the subcontractor's company network, violating the agency's security and privacy rules. The subcontractor's network was then attacked and breached.
No CBP systems were compromised, the agency said. It is unclear whether passport or facial-recognition photographs were included in the breach.
Perceptics and other companies offer automated licence-plate reading devices that federal officials can use to track a vehicle, or its owner, as it travels on public roads.
Immigration agents have used such databases to track down people who may be in the country illegally. Police agencies have also used the data to look for potential suspects.