Images of tens of thousands of people crossing the US border with Mexico have been stolen in a major hack, the US Customs and Border Patrol (CBP) has said.
The breach, which affected the network of a sub-contractor, also saw photos of vehicle licence plates stolen, said the CBP.
It said fewer than 100,000 people were affected based on “initial reports”.
It also contradicted claims that image data had been shared on the dark web.
“CBP has alerted Members of Congress and is working closely with other law enforcement agencies and cyber-security entities… to actively investigate the incident,” it added.
- Amazon heads off facial ID rebellion
- Police ‘miss’ chances to improve face tech
CBP uses cameras at airports and land border crossings as part of a growing facial-recognition programme designed to track people entering and exiting the US.
The agency said the sub-contractor in the breach had stored the images on its systems without official consent, and that CBP’s own systems were not affected.
The pictures were of people in vehicles entering and leaving the country via a single border entry point, which CBP did not name.
It said that no other identifying information – such as passport data or other travel document photos – had been compromised.
In late May, technology news website the Register reported that images of licence plates belonging to vehicles passing through CBP checkpoints had been shared on the dark web.
But the agency, which learned of the breach on 31 May, said none of the image data had been identified “on the dark web or internet”.
US law enforcement agencies argue that facial recognition systems enhance border security and help to catch criminals.
But there are growing concerns they may infringe privacy and increase the risk of identity theft.
Senator Ron Wyden told the Washington Post: “If the government collects sensitive information about Americans, it is responsible for protecting it – and that’s just as true if it contracts with a private company.
“Anyone whose information was compromised should be notified by customs, and the government needs to explain exactly how it intends to prevent this kind of breach from happening in the future.”
Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union, said: “This breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travellers, including licence plate information and social media identifiers.
“This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices.”