Photos of travelers and vehicles crossing U.S. borders were taken from a Customs and Border Patrol (CBP) subcontractor through a cyberattack, the agency said Monday.

“CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” CBP said in a statement.

The agency didn’t provide information on the images or how they were collected, but said “initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract.”

The CBP has found no evidence that the information “has been identified on the Dark Web or internet.”

CBP also didn’t name the contractor but the title of a statement sent to the Washington Post, contained the name “Perceptics,” a company that provides  license plate readers for the U.S. government to use at the Mexican border.

The Tennessee-based company at the end of May said a threat actor by the alias “Boris Bullet-Dodger” broke into its database and posted its contents on the dark web. The hacker leaked 65,000 file names and accompanying directories including files that contained location data, zip codes, presumed government clients, dates, timestamps, image files and other sensitive data that amounted to hundreds of gigabytes of information.

The breach at the CBP contractor raises questions not only about how the CBP protects data but why it was being gathered and stored in the first place.

“Why did this contract move all our face pictures to their network?  What were they trying to do with that data?” asked Pierluigi Stella, CTO of Network Box USA. “I have problems with the government keeping that information; I definitely have big issues with a private corporation doing so.  Someone here needs to explain to us why that data was moved to the network of a private government subcontractor, to what end, what were they doing with that data?” 

But travelers have no recourse, “unless a traveler can prove that they have been harmed somehow by the disclosure of their information and location at a border or airport, however, there is very little anyone can do once their information has been stolen, and then often made available on the dark web,” said Robert Cattanach, a partner at the law firm Dorsey & Whitney. And they’re likely not to find relief under laws like the California Consumer Privacy Act (CCPA), which does not apply to the U.S. government.

Still, the incident could raise the hackles of privacy regulators in Europe.“Given that this breach is likely to contain a host of information from European Union data subjects, there may be challenging and interesting GDPR implications,” said Tim Erlin, vice president, product management and strategy, at Tripwire.

The CBP contractor “breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travelers, including license plate information and social media identifiers,” said American Civil Liberties Union (ACLU) Senior Legislative Counsel Neema Singh Guliani. “This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices.”

“Any disclosure of traveler information is obviously concerning to anyone who has crossed the U.S. border recently, but should be looked at through the lens of how the evolution of technology is occurring at our borders,” said Tim Mackey, principal security strategist at Synopsis.

“With Trusted Traveler programs like Global Entry, Nexus and Mobile Passports becoming the norm for frequent travelers and with pilot programs using facial recognition systems occurring with some airlines, public confidence in the security of traveler data and cross border commerce is paramount.”

Pointing out that “this is the second major privacy breach at DHS this year,” Rep. Bennie Thompson, D-Miss., chairman of the House Homeland Security Commission, pledged to hold hearings on DHS’s used of biometric data. “Use of biometric and personal identifiable information can be valuable tools only if utilized properly,” Thompson said in a statement. “We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public.”

The incident highlights the ongoing challenge organizations face in ensuring the security of third-party providers.This is a reminder that bad actors rarely use the front door, instead finding the weakest link or the lowest common denominator to gain access,” said Grant McCracken, Director of Solutions, Bugcrowd. “We’ve seen it where a company’s main website is secure, but they’ve contracted out subdomains that are highly vulnerable and leave them as easy targets.”

Since a subcontractor’s network was compromised, “this is more akin to an internal misuse,” said Chris Morales, head of security analytics at Vectra. “The trusted insider is the hardest thing to protect for and even harder to monitor.”

Terence Jackson, CISO at Thycotic, called for private and public sector organizations “to perform due diligence on their contractors on a continuous manner,” noting that many organizations self-certify to NIST 800-171, which addresses contractor security controls, “and don’t keep up with” best practices.

Information-rich organizations like the CBP are always in the crosshairs. “Due to the nature of the data involved in cross border activities, CBP and its sub-contractors are a prime target for malicious actors seeking to disrupt travel and trade between the US and its partners,” said Mackey. That the subcontractor transferred from the CBP to its own database “calls into question the level of authorization required for data transfer between systems connected to a CBP network and serves as a lesson for everyone running an IT system with access to sensitive data.”

But the ACLU’s Guliani had a simpler solution. “The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place,” she said.