The cyberattack comes just as facial recognition technology is being increasingly used by the U.S. government to identify travelers.
The U.S. Customs and Border Patrol (CBP) reported this week that it has learned of a data breach in which tens of thousands of images of travelers and license plates were hacked.
The agency said in a statement on Monday that it found out about the breach on May 31, when it discovered that a subcontractor had violated CBP policies, having transferred copies of traveler and license plate images to the subcontractor’s company network without CBP’s authorization or knowledge. The subcontractor’s network was subsequently compromised by a cyberattack.
As of Monday, according to CBP, none of the image data had been found on black market websites where data and technology are hawked. CBP said it had alerted law enforcement agencies and cybersecurity entities that it is working with to investigate the incident.
Initial reports indicate that up to 100,000 traveler images were obtained and that the photographs were taken of travelers in vehicles entering and exiting the United States through a few lanes at a single land border port of entry over a period of six weeks. CBP did not specify the port of entry from which the images in the breach were obtained.
No passport or other travel document photographs were compromised, and no images of airline passengers from air entry or exit ports were involved.
CBP reported that it has removed from service all equipment related to the breach.
The breach comes just as CBP and the U.S. Transportation Security Administration (TSA) have been working together to expand the use of biometric technology, which includes both facial and fingerprint recognition, to help verify travelers’ identities.
This past October, TSA released its roadmap for ramping up the use of biometric technology, which includes continuing to expand the use of biometric screening for international travelers, incorporating biometrics into the TSA PreCheck experience, and ultimately expanding biometrics to domestic travelers.
TSA, together with CBP, began testing facial recognition technology for international air travelers at John F. Kennedy International Airport in 2017 and expanded testing to Los Angeles International Airport in 2018. The technology is intended to match facial images to photos in government databases, such as photos obtained from passports or visa applications, in order to verify travelers’ identity and reduce the reliance on physical documents.
In an effort to build up its database of those photographs, as of last September TSA now requires that passengers who enroll in TSA PreCheck or renew their membership also provide their photograph. Once there are enough images in the database, TSA plans to start using applicants’ photographs to test facial biometric technology in TSA PreCheck lanes at select airports. In December, Delta Air Lines partnered with CBP and TSA to introduce the first biometric terminal in the United States at the Hartsfield-Jackson Atlanta International Airport.
While most of the biometric advancements have been made at airports, CBP has been testing the technology at some land borders as well. Last September, the agency began testing facial comparison technology at the San Luis Port of Entry land border in San Luis, Arizona, where a camera was installed to take photographs of pedestrians entering the United States to compare those images against travel document photos. That followed a biometric technology test at the Otay Mesa pedestrian crossing in San Diego, California, in 2015.