The official said Perceptics was attempting to use the data to refine its algorithms as part of a CBP-sanctioned pilot program to match license plates with the faces of a car's occupants, which the official said was outside of the CBP's sanctioned use.
Government surveillance photos of worldwide travelers and license plates were hacked as part of a "malicious cyber-attack" on a federal contractor, U.S. Customs and Border Protection said in a statement Monday.
"The subcontractor's network was subsequently compromised by a malicious cyber-attack.No CBP systems were compromised", the agency said in a statement on Monday.
The CBP also took steps to remove travelers' data from the subcontractor's network, it said.
The CBP issued a statement outlining how it learned on May 31 that the unnamed contractor, against Uncle Sam's privacy rules and security measures, copied license plate scans and traveler pictures to its own network, only to have that network invaded by hackers and the data stolen.
CBP said none of the data had surfaced on the internet or Dark Web.
The Electronic Frontier Foundation, which says it defends civil liberties in the digital world, warns that "Location-based information like license plate data can be very revealing".
The CBP maintains an image database of all travelers' entering the US. "CBP has alerted Members of Congress and is working closely with other law enforcement agencies and cybersecurity entities, and its own Office of Professional Responsibility to actively investigate the incident", the agency said.
It was not clear how many of those affected were US citizens or foreigners.
The Washington Post said its reporters received a Microsoft Word document Monday that included the name "Perceptics" in the title: 'CBP Perceptics Public Statement'.
CBP processes more than one million passengers and pedestrians crossing USA borders each day. "No CBP systems were compromised", the agency said in a statement on Monday.
The Register also noted that as of June 10, the hidden website offering the Perceptics data still listed the data as available for download. The Register said the hacker provided it with a list of files exfiltrated from the Perceptics corporate network and said a company spokesperson had confirmed the hack.
Sen. Ron Wyden (D-OR) expressed similar concerns to the Washington Post, criticizing CBP and its contractors for failing to protect sensitive data and failing to inform affected individuals immediately after the breach was discovered at the end of May.
"Government use of biometric and personal identifiable information can be valuable tools only if utilized properly".