Data from facial recognition scans performed by US Customs and Border Patrol on travelers crossing at an unnamed lander border point (an anonymous source says it's a US-Canada crossing) have been stolen by hacker or hackers unknown.
The CBP doesn't know how many records were leaked, but estimates the number at less than 100k. The CBP refused to state which contractor breached the data, but the memo it sent to the Washington Post about the breach was titled "CBP Perceptics Public Statement" and since Perceptics is a CBP contractor that does facial recognition (as well as license plate cameras and other forms of surveillance), it's a good bet that Perceptics is the culprit — especially since Perceptics had hundreds of gigs of data breached and dumped last month by a person or persons going by "Boris the Bullet-Dodger" (it's possible that the facial recognition database was part of that dump.
The CBP says the stolen facial recognition data isn't circulating, so maybe it wasn't part of the Boris the Bullet-Dodger dump, or maybe they're just lying or incompetent (see above, re: a memo entitled "CBP Perceptics Public Statement").
As Brian Barrett points out on Wired, the fact that this was a contractor breach shouldn't make you feel any more secure — the most sensitive data being collected by US government agencies is being stored insecurely by grifty Beltway Bandits who are leaking it all over the fucking internet.
CBP collects tons of facial recognition data at border crossings, airports, etc, both overtly (by making you scan your face) and covertly (using CCTV footage to feed its databases).
You can always opt out by simply not having a face.
One U.S. official, who spoke on condition of anonymity due to lack of authorization to discuss the breach, said it was being described inside CBP as a "major incident." The official said Perceptics was attempting to use the data to refine its algorithms to match license plates with the faces of a car's occupants, which the official said was outside of CBP's sanctioned use. The official said the data involved travelers crossing the Canadian border.
The breach, according to the official, did not involve a foreign nation, such as when China hacked the Office of Personnel Management in 2014 exposing the sensitive information of at least 22 million people.
News of the breach raised alarms in Congress, where lawmakers have questioned whether the government's expanded surveillance measures could threaten constitutional rights and open millions of innocent people to identity theft.
"If the government collects sensitive information about Americans, it is responsible for protecting it — and that's just as true if it contracts with a private company," Sen. Ron Wyden (D-Ore.) said in a statement to The Post. "Anyone whose information was compromised should be notified by Customs, and the government needs to explain exactly how it intends to prevent this kind of breach from happening in the future."
U.S. Customs and Border Protection says photos of travelers were taken in a data breach [Drew Harwell and Geoffrey A. Fowler/Washington Post]
Hackers Stole a Border Agency Database of Traveler Photos [Brian Barrett/Wired]