According to a statement that the US Customs and Border Protection (CBP) agency released last week, photos of travelers and their vehicle license plates snapped at a US border control point have been hacked. In an email statement to journalists, CBP confirmed that an undisclosed subcontractor transferred copies of license plates and travelers’ photos from federal servers to its own company network without CPB’s authorization. CBP reports that its own servers were unharmed by any cyber attack.

CBP uses cameras and video recordings at air and land border crossings as part of a growing agency facial-recognition program designed to track the identity of people entering and exiting the country. CBP stated that the images hacked were captured over a six-week period and taken as travelers left the US through specific lanes at a single, unspecified land-border crossing. However, privacy experts doubt that the hack stopped at photos of faces and license plates. Indeed, Chad Loder, the Founder & CEO of Habitu8, a cyber security firm that trains other companies on security awareness, stated that the full scope of the breach may be much larger than what CBP revealed. Given that CBP collects information such as fingerprints, facial data, and recently, social media accounts, Loder argues that if CBP’s contractor was targeted specifically, it’s “unlikely that the attacker would have stopped with just photo data.”  

Similarly, Andrew Ferguson, a law professor at the University of the District of Columbia who testified on the dangers of facial-recognition technology before the House Committee on Oversight and Reform this May, warned that the technology for facial recognition and other biometrics are “not ready for prime time,” concluding that “as was just demonstrated with the hack, the security systems are not ready for prime time either.”