US Customs and Border Protection says traveler images were taken in cyberattack

Photos of travelers and license plates were taken in a data breach at a federal subcontractor in May.

Corinne Reichert Senior Editor
Corinne Reichert (she/her) grew up in Sydney, Australia and moved to California in 2019. She holds degrees in law and communications, and currently writes news, analysis and features for CNET across the topics of electric vehicles, broadband networks, mobile devices, big tech, artificial intelligence, home technology and entertainment. In her spare time, she watches soccer games and F1 races, and goes to Disneyland as often as possible.
Expertise News | Mobile | Broadband | 5G | Home tech | Streaming services | Entertainment | AI | Policy | Business | Politics Credentials
  • I've been covering technology and mobile for 12 years, first as a telecommunications reporter and assistant editor at ZDNet in Australia, then as CNET's West Coast head of breaking news, and now in the Thought Leadership team.
Corinne Reichert
2 min read

Face matching is being used in some US airports.

Australian Department of Immigration and Border Protection

The US Customs and Border Protection says photos of travelers into and out of the country were stolen in a "malicious cyberattack" that hit one of its subcontractors in May. None of the images have been identified on the internet or on the dark web, CBP said in a statement Monday.

"In violation of CBP policies and without CBP's authorization or knowledge, [a subcontractor] transferred copies of license plate images and traveler images collected by CBP to the subcontractor's company network," the CBP said. "The subcontractor's network was subsequently compromised by a malicious cyberattack."

The CBP said it's removed from service all of the subcontractor's equipment and is monitoring its work. None of CBP's systems were compromised in the attack.  

CBP said it learned of the data breach May 31 and has alerted members of Congress.

The agency is investigating the breach, reported earlier by The Washington Post, alongside law enforcement and cybersecurity agencies, as well as its own Office of Professional Responsibility.

"CBP will unwaveringly work with all partners to determine the extent of the breach and the appropriate response," it said.

The agency has been expanding its use of a face-matching system called Biometric Exit at departure gates in several airports across the nation. 

"This breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travelers, including license plate information and social media identifiers," Neema Singh Guliani, American Civil Liberties Union senior legislative counsel, said in a statement Monday. "This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency's data practices.

"The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place."

According to a CBP official, the cyberattack affected fewer than 100,000 people who entered and exited the US in a vehicle through several specific lanes at one land border during a 1.5-month period.

CBP didn't specify which land border it was.

Passports and travel document photos weren't taken in the cyberattack, CBP added late Monday.

Sen. Rick Scott weighed in on the situation Wednesday with a letter he tweeted that demandis answers from Acting Homeland Security Secretary Kevin McAleenan on what exactly happened. 

The Florida senator also asked whether affected travelers have been notified, which states were affected and how the CBP plans to prevent these kinds of data breaches in future.

"Americans deserve to know how their personal information is being used, especially by their government," he wrote. "Anything other than full transparency is unacceptable."

First published at 1:38 p.m. PT on June 10. 
Updated on June 12 at 3:11 p.m. PT: adds comments from CBP official detailing how many people were affected and for how long.
Updated on June 12 at 3:22 p.m. PT: adds comments from Sen. Rick Scott.