A cyberattack on a subcontractor working for U.S. Customs and Border Protection compromised tens of thousands of traveler photos, an agency official said June 10.
Earlier in the day, the agency announced that an unspecified number of traveler photos and license plate images collected by the agency had been compromised in a “malicious cyberattack” on a subcontractor. By the evening, a spokesman said an initial assessment found less than 100,000 photos had been compromised.
The photographs were of travelers in vehicles from “a few specific lanes at a single land border port of entry over a 1.5-month period," a spokesman said in an email. The agency did not provide additional details on where the port of entry was or what months the photos were taken.
“No other identifying information was included with the images,” an agency official said.
In addition, government officials said that no passport or other travel document photographs were compromised in the breach. The agency also clarified that photos of airline passengers from the air entry/exit process also were not included.
“CBP continues to actively investigate the incident and will take additional appropriate actions once the investigation is complete,” an agency official said in a statement Monday night. “In addition, CBP and federal authorities will continue to monitor for any unauthorized disclosure of the information involved in this incident.”
The hack occurred after an unidentified subcontractor transferred copies of the traveler and license plate images onto its own network, which was subsequently breached. A CBP spokesperson said in an earlier statement that the subcontractor had copied the images over in violation in CBP policy and without the agency’s knowledge or authorization.
“Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract,” an earlier CBP statement said.
CBP learned of the attack May 31, according to the statement. It also said the agency has alerted members of Congress about the breach and no CBP systems were compromised.
According to CBP, none of the stolen images have appeared on the Dark Web or other internet forums.
CBP has not ended its relationship with the contractor, according to the earlier statement. It is not immediately clear if the subcontractor will continue to work with the agency.
“CBP has removed from service all equipment related to the breach and is closely monitoring all CBP work by the subcontractor,” the statement said. “CBP requires that all contractors and service providers maintain appropriate data integrity and cybersecurity controls and follow all incident response notification and remediation procedures.”