The move raised the ire of privacy advocates, and the CBP's latest incident has provoked calls for the agency to rethink its collection of travelers' data.
A congressional staffer whose office was notified by the agency said the breach affected fewer than 100,000 people. It was unclear how many photos were stolen or whether the data concerned US citizens.
While El Reg last month reported the data was being offered on the Tor network for anyone to download if they could find it - and indeed, we found it on a hidden.onion website after a tipster alerted us to the leak - the CBP's carefully worded statement on Monday this week noted that "as of today, none of the image data has been identified on the dark web or internet".
In an opinion piece ironically posted at the Washington Post just hours before the news story broke-titled "Don't smile for surveillance: Why airport face scans are a privacy trap"- columnist Geoffrey A. Fowler warned that even as US consumers become more accustomed to facial recognition technology-such as using your face to unlock an iPhone or other device-what happens when a government agency or airline captures such an image at the airport is something entirely different.
"Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract", further notes CBP. The Post said the agency would not confirm, but that an emailed document included the title "CBP Perceptics Public Statement".
CBP's statement's conclusion claims all equipment related to breach has been "removed from service".More news: With iOS 13, You Can Know Where The Apps Tracked You
More news: New Xbox Scarlett Details, Featuring 8K, 120 FPS, And An SSD
More news: Strong Wind Topples Crane Near Downtown Dallas
The CBP also took steps to remove travelers' data from the subcontractor's network, it said.
The database, which comprised of photos of people's faces and license plates, had been transferred to the subcontractor's network without the federal agency's authorization or knowledge, a CBP spokesperson told The Register.
Recorded license plates are checked in real time against DHS databases to which 13 federal agencies have access.
The best way to avoid these kinds of breaches, Guliani added, "is not to collect and retain such data in the first place".
In light of the fact that the CPB has been building an extensive photo database as part of its growing facial-recognition program, the privacy implications of this breach for American citizens and visitors could be grave.
Perceptics, of Farragut, Tenn., bills itself as the sole provider of licence-plate readers "for passenger vehicle primary inspection lanes at all land border ports of entry in the United States, Canada and at the most critical lanes in Mexico".