Cyber Incident Victim: U.S. Customs and Border Protection
Date:
May 2019
Location:
United States of America
Summary
A breach involving a federal subcontractor compromised traveler photos and license plate data collected by U.S. Customs and Border Protection at a single land border entry point over approximately six weeks, affecting fewer than 100,000 individuals. The unauthorized data transfer occurred despite mandatory security protocols, though no passport details, travel documents, or airline passenger images were exposed. While the compromised information had not surfaced on public platforms at the time of disclosure, the incident intensified scrutiny over biometric data collection practices and storage risks. The agency collaborated with law enforcement and cybersecurity entities to investigate the violation, which implicated a subcontractor previously linked to border surveillance technology deployments across multiple states.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 31, 2019, U.S. Customs and Border Protection (CBP) discovered a data breach involving traveler photographs and license plate information collected at a land border Port of Entry. The compromised data stemmed from an attack on a federal subcontractor responsible for processing border crossing information. The breach affected images captured over a six-week period from travelers in vehicles entering and exiting the United States through specific lanes at a single, unnamed border location. CBP confirmed that fewer than 100,000 individuals were impacted, with no passport data, travel document photos, or airline passenger facial recognition records from its Biometric Exit program exposed. Initial investigations revealed the subcontractor had violated mandatory security and privacy protocols outlined in their contract by transferring sensitive image data from CBP systems without authorization.
The breach drew immediate scrutiny due to the exposure of biometric data, prompting CBP to notify Congress and collaborate with law enforcement agencies, cybersecurity entities, and its Office of Professional Responsibility. As of June 11, 2019, no breached images had been identified on the dark web or public internet. Media reports linked the incident to Perceptics, a license plate reader technology provider whose systems were compromised around the same time, though CBP did not publicly confirm this connection. The subcontractor’s systems stored license plate details—including state, plate number, type, and timestamps—alongside driver images, but no additional personally identifiable information accompanied the leaked data. Privacy advocates, including the ACLU and Electronic Frontier Foundation, criticized CBP’s expanding biometric data collection practices, citing systemic risks of theft and misuse. The incident amplified existing public concerns about facial recognition technology, coinciding with CBP’s operational expansion of biometric screening to 17 air travel locations under its Biometric Exit program.