WASHINGTON — Tens of thousands of images of travelers and license plates stored by the Customs and Border Protection agency have been stolen in a digital breach, officials said Monday, prompting renewed questions about how the federal government secures and shares personal data.
An official at the agency said it learned on May 31 that a federal subcontractor had transferred copies of the images to the subcontractor’s network, which the agency said was done without its knowledge and in violation of the contract. The subcontractor’s network was then hacked.
The hacked material did not include images from airports, but rather of drivers and license plates of vehicles crossing the border, officials said. One United States government official said no more than 100,000 people had their information compromised by the attack.
If that number holds, it would be far smaller than a 2014 breach at the Office of Personnel Management, which lost roughly 22 million security clearance files for government officials and contractors. In that case, China was later identified as the nation that had pulled off what remains the largest known theft of United States government data.
“As of today, none of the image data has been identified on the dark web or internet,” the Customs and Border Protection agency said in a statement.
That may not be surprising. If the images were stolen for intelligence purposes, they would not be expected to show up for sale. The Office of Personnel Management data has never been surfaced publicly.
The customs and border agency is part of the Homeland Security Department, which has primary responsibility for cybersecurity inside the United States. Its cybersecurity operations were a particular focus of the previous secretary of homeland security, Kirstjen Nielsen, whose efforts to get the White House to devote more attention to the issue — including cabinet-level meetings on election security — were repeatedly turned down.
The imagery of travelers — citizens, visitors or prospective immigrants — arriving in the United States would be of little value to thieves. But it might be useful to foreign governments interested in tracking Americans, or in the agency’s procedures.
Customs and Border Protection said in a statement that it removed from service the equipment involved in the breach and informed Congress of the attack. The agency declined to say which subcontractor was involved.
But another government official identified the subcontractor as Perceptics, a Tennessee-based company that makes license plate readers and provides the United States government with other border security services. Perceptics was reported last month to have been hacked. It is not clear whether the breach reported by the government on Monday was the same incident. Perceptics did not return requests for comment.
Representative Bennie Thompson, Democrat of Mississippi and the chairman of the House Homeland Security committee, noted in a statement that this was the second time data from a Homeland Security agency was obtained by a subcontractor.
In March, the Homeland Security Department’s Office of Inspector General released a memo saying the Federal Emergency Management Agency had unnecessarily shared the sensitive personal data of two million disaster victims.
“We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public,” Mr. Thompson said in a statement. He said he planned to hold hearings on the use of the data next month.
The hacking of photos and license plate information comes as Customs and Border Protection has been widening its surveillance of both United States residents and visitors.
The agency has for years used license plate readers at border crossings. It is deploying facial recognition systems for travelers leaving the country from certain airports — part of exit records that the agency said it can maintain for 15 years for United States citizens and 75 years for visitors.
In March, the agency said it was monitoring and might collect information from public social media accounts to identify “potential threats or dangers” to its own employees.
Civil liberties experts said the breach called into question the ability of the agency to safeguard its expanding stockpile of people’s private details.
“What you are seeing is a direct result of the agency collecting massive amounts of information, without full consideration of the privacy and security consequences,” said Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union. “Minimizing that data collection is not just good policy from a civil liberties standpoint, but is actually very important from a security standpoint.”
Breaches of government contractors have been a persistent security issue.
That is how the United States lost many of the designs for the F-35, the most expensive fighter-jet in history, which China has now largely copied. The first breaches of data from the Office of Personnel Management started with a contractor doing interviews for security clearances. And Edward J. Snowden, who left for Hong Kong and Moscow with vast amounts of data held inside the National Security Agency, was a contractor working at the N.S.A.’s outpost in Hawaii.
After each of those breaches, the government promised to tighten its systems. But they are so vast, and so antiquated, that the idea of securing such a range of data is, in the minds of many officials, an impossible task. And the effort to set up alarm systems, which would provide early warning when large amounts of data are removed, has been hampered by a shortage of funds, focus and expertise — a problem that the Homeland Security Department has vowed to fix.