Government surveillance photos of travelers hacked in 'malicious cyber-attack'

The data was transferred to a private contractor before it was compromised.

Government surveillance photos of international travelers and license plates were hacked as part of a "malicious cyber-attack" on a federal contractor, U.S. Customs and Border Protection said in a statement Monday.

None of the photos have ended up online, according to CBP, but the agency said in the statement that it's working to figure out, "the extent of the breach and the appropriate response."

A CBP spokesperson says the hacked photos were taken of travelers waiting in line at a specific land border crossing. The spokesperson could not say whether the crossing was on the northern or southern border.

CBP cited "initial reports" saying the breach involved data from fewer than 100,000 people over the course of a month and a half. The agency says no other "identifying information" was compromised included passports or other travel documents.

"CBP continues to actively investigate the incident and will take additional appropriate actions once the investigation is complete," the spokesperson said in a statement. "In addition, CBP and federal authorities will continue to monitor for any unauthorized disclosure of the information involved in this incident."

The top Democrat on the House Homeland Security Committee defended the surveillance program, but promised additional oversight.

“Government use of biometric and personal identifiable information can be valuable tools only if utilized properly," said Rep. Bennie Thompson. "We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public.”

The hack took place after the images were transferred to the network of a private subcontractor, which CBP said was a violation of department policy.

"No CBP systems were compromised," the agency said in the statement.

The subcontractor broke multiple security and privacy protocols, according to CBP, which continues to investigate the incident. Federal officials said they learned of the violations and subsequent attack late last month.

The ACLU responded to the news calling on the federal government to end those type of data collection efforts.

"The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place," ACLU Senior Legislative Counsel Neema Singh Guliani said in a statement on Monday.

Guliani warned against CBP expanding the use of facial recognition technology and said that Congress should investigate how the agency collects and uses personal data.